A summary of what gets created…
There’s 2 pods for an application foo:
pod/foo (the workload pod)
pod/foo-operator (runs the charm)
The operator pod always has a service account created for it by Juju. The operator pod’s service account rules are set by Juju and are not currently configurable. These are used to create serviceaccount/foo-operator
The pod spec can contain a serviceAccount block. If set, this service account is created as serviceaccount/foo for the workload pod and will have the specified rules.
There is a default service account also. If the pod spec does not contain a service account definition for the workload pod, this will be used.
Workloads that need extra privileges will need to have a bespoke service account configured.
Allowing the operator to gain privileges over and above what Juju needs goes back to the juju trust thing in an earlier post.
If your charm need to do things not currently allowed, you will need to create the extra role binding(s) manually as you have done.