The garbage collector deletes builds. This is an admin-only action.
It also uses untagBuildBypass, which was originally admin-only, but now works with the tag permission.
Note that koji-gc does not normally use the force option for untagging. Due to a quirk in the tag access check, koji-gc will fail to untag from tags that require a permission it does not have (even if it has admin), so it needs to have any perms that are routinely used for tag access. Clearly this is kind of obtuse and we probably ought to make it simpler ;)