JSON data is not getting recognized, so statements like the following result in broken JSON-strings. In MySQL it doesn't happen because JSON is recognized as a datatype. If adding JSON as a datatype is not an option to consider, then maybe add an optional parameter to "JSON_OBJECT()" to check the passed attributes to not escape them again. When advertising JSON-support in MariaDB 10.2 results in generating those strings manually via "CONCAT()" is not what people expect and this is the only reason I can't use MariaDB in nearly all of my projects.
Note: If testing in MySQL 5.7, cast the concatenated JSON-value of "Permission" as JSON manually, so it wont be escaped again.