Strange the package doesn't contain such an ACL rule.
On the other hand, I read the Replication agent configuration documentation again. There, they speak of an "Alias update" option you should enable to send vanity path invalidation requests to Dispatcher. The same should be done on your Dispatcher Flush Agent running on the publish instance as documented here. I will give that a try that as well, without using the vanityurls-components package.