I was able to pinpoint another place that push notifications are being forcibly unsubscribed when they shouldn't be... When a user needs to redo their two-step authentication, the two-step page has no XF.config.userId set, so the browser (and PWA) is told to unsubscribe from push notifications.
The browser/PWA is left in a state where Notification.permission = "granted" but XF.Push.isSubscribed = false. And you can't programmatically resubscribe because the browser only allows a push subscription to "start" (since it was killed on the two-step page) with a user gesture.
>> Notification prompting can only be done from a user gesture.
TL;DR: Push notification permissions are completely wiped out when the user needs to do a two-step auth (after 30 days by default).