A Workflow instance is created under the privileges of the invoker (user session) or possibly the session of the provided JCR Node as 'subject' of the workflow, or (if invoked through another workflow) the internal workflow session.
The actual subject (Node) passed into the workflow is always managed by (retrieved through) the internal workflow session.
If within such a workflow additional permission checks needs to be done you typically can/should do so against the user session (available through the WorkflowContext).
However, if a workflow invokes another workflow (like the TranslationWorkflow invoking CopyWorkflow), then the 'subject' session to be used is the internal workflow session (meaning: in practice all restrictions lifted).
But the invoked workflow has no way of determining how it was invoked, so which session should it use?
For this purpose, the WorkflowContext will be enhanced and also provide separately access to the subject session, which is the session used to check the instantiation of the workflow itself.
This subject session therefore will always be the correct one to use for subsequent permission checks within the workflow itself.