The core engine needs to have syntax (GRANT, REVOKE) to apply security to generators, charsets, collations, domains, functions and exceptions.
EXECUTE permission for functions, USAGE permission for everything else. The SQL spec defines USAGE for domains and sequences.
It should be possible to grant any non-owner permissions to ALTER or DROP a particular object. Also, there should be a CREATE privilege allowing a granted user to create particular object types. It applies to all metadata objects, not only the new ones.