The workflow field is pretty much just a normal select field, and adding support for specific permissions for that field would be on a par with field-level permissions in general, which is something that is not on the radar, due to the complexity.
The backend does include the necessary framework for allowing ‘button press’ do be a capability distinct from update, and it is something that has been considered. The biggest issue is that when a button executes, it does so with the permissions of the person who pressed it, which means there could be some frustrating experiences. For example, if the button has been configured so as to update a specific field value when it is pressed, the user might have the capability to press the button, but not the capability for the button actions to be executed!