If I have an access request policy and I add a permission to it then the
permissions is removable for the user (he can click on the trashcan icon
in the Access Request view).

If I have another permission and add that permission to a technical role
and then add that technical role to the access request policy the user
can't remove the permission granted through the technical role because
there is no trashcan icon in the Current Access view.

What is the best practice?
When should one add permissions directly to a request policy and when
should one add technical roles instead?

Am I right in assuming that the user can't remove a permission granted
through a technical role because a technical role may contain multiple
permissions and that a user shouldn't be able to request removal of
access granted using technical roles even if the user himself requested
that access?