the ensure* stuff for PG is not mature enough. There is an attempt to bring database specific options in [WIP]: PostgreSQL declarative databases by talyz · Pull Request #72365 · NixOS/nixpkgs · GitHub. I think, it can also host per-db permission configs.
If you want to include your permission settings to declarative config, you can hack on postStart script.
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL mydb -tAc 'GRANT ALL ON ALL TABLES IN SCHEMA public TO paluh' || true
$PSQL mydb -tAc 'GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO paluh' || true
'';
(of top of my head, didn’t test, but I did use this)
The || true is optional