Why users permissions are at controller level and not at route level?

I’m the autor of strapi-plugin-shopify, a plugin to manage a Shopify application from Strapi with installation, authentication and I’m now adding a permissions feature to it.
To start I decided to have a look at the @strapi/plugin-users-permissions and I’ve seen that permissions are handled at a controller level, all the controllers are iterated and the list of all possible permissions is generated from there.
Wouldn’t be simpler to iterate routes and generate the list from there?