Hi Adam
I don't have a solution but thought I'd just say I feel your pain on this. We're now using 3 preconfigured LTI tools in our Moodle instance and I have them set to show as discrete items in the activity chooser. What's missing is the ability to make these available to only the roles I want to see them. What I ideally want is the ability to set permissions on each tool, in the way you can for any other activity or resource type.
As it is (and you describe) its only possible to set permission on the external tool, remove it and all the preconfigured ones go with it too. this is what I've done and I'm giving out External Tool capabilities to certain users on a needs basis. Not ideal.
What I might end up doing is hiding the External Tool in the chooser via code, but only if I can;t find another solution.
Have you looked for a tracker for this at all? If I get time I'll do a trawl and see what I can find. One of use should probably raise a tracker issue for it.
Best
Neil