It seems there is no way to control the credentials finely for template management. For instance, SGS_CLUSTER_MANAGE_INDEX_TEMPLATES gives full access to everything.
Would it be possible to add a privilege to act only on templates that affect index pattern foo-* ?
At the moment this is not really possible. It might be solvable, but not easily. The main challenge here is that a template request contains index patterns for indices that might not exist (yet). So our regular index resolution for determining access permissions will not work ootb. We would need to treat template requests via a separate logic. However, since both the template request and the hypothetical index template permission can and will contain index patterns with wildcards (and even regex), we would need to match one regex against another regex, multiple times when multiple index patterns are provided. Which is probably not 100% solvable at all … 
I understand, it’s better to not do it if the solution is bogus 