to follow up on this, the app FMD ("find my device"), available on the f-droid store, does _exactly_ what i want - you can very selectively grant it whatever permissions you want to enable various commands over various transports.
In my case, I have it set up to only allow the "ring" command when triggered from select contacts via SMS; no location access, no network access, no sensors access, nothing but SMS (and i did allow it to manage do-not-disturb, display over other apps and exempted it from battery optimizations).
works great - i send it an SMS `fmd ring long` and it rings until i stop it.
https://f-droid.org/en/packages/de.nulide.findmydevice/
Thanks to @mellamoessucasa for the tip!