How about the local (normal space) instance surrounding your carrier being your "private property" (not counting as being part of the permit locked system)? That way, since fleet carriers cannot supercruise (I think), your carrier could jump anywhere unrestricted, but those CMDRs who don't have the local permit just wouldn't be able to low wake out of the instance into supercruise, but they could still high wake out of the system just fine, provided they had the necessary jump range.
Any system would need to be capable of dealing with any permutation of circumstances, though.
You could, theoretically, plot a jump to, say, LHS 20 and a bunch of pleb's could board your ship.
You could then cancel that jump and, instead, plot a jump to Isinor, Sol or Achenar, thus requiring all your passengers to have Fed/Imp/Alliance permits.
Ideally, it'd be nice if, at the very least, an unauthorised passenger got a load of flashing red lights on the landing pad and then got dumped off the ship.
Trouble is, the owner of the Carrier can plot a course at any time, passengers can dock at any time, there's the issue of people docking and then logging out and then, on top of all that, there's the issue of the jump, itself, happening during server down-time.
The more I think about it, the more it seems like the only way jumps to permit-locked systems could be managed is by the rather mundane mechanic of unauthorised passengers simply being left behind.
Course, if ships like the Gnosis simply can't jump to permit-locked systems, FDev's initial plan is probably for the same restrictions to apply to Carriers too, in which case people will have to raise the issue with FDev so they can see if they can come up with a better solution.