For the Platform Event "Automated Process" user, why do both Visualforce controller access and email sending fail?

Salesforce support has confirmed that the "Automated Process" user's permissions are lacking key ones and that there is no way to add permissions. And that the ability to switch to a specific User to execute the Platform Event triggers has no planned release version.

So the bottom line is, don't assume that everything will work when you are handling a Platform Event: test early before you waste your time.

PS

See vernimi2's suggestion that adding a permission set may work.

What helped in our project regarding the class access, for example when process builder is calling InvocableMethod annotated apex method and requires access to the class, was to assign the Automated Process user a permission set. The permission set cannot be assigned in the permission set assignment page in Salesforce UI and the assignments are not visible there.

It is possible to assign it through anonymous apex though, please see the example code below:

PermissionSet permissionSet = [
    SELECT Id, Name
    FROM PermissionSet
    WHERE Name = 'Automated_Process'
];

User automatedUser = [
    SELECT Id, Name
    FROM User
    WHERE Name = 'Automated Process'
];

PermissionSetAssignment pemissionAssignment = new PermissionSetAssignment(
    PermissionSetId = permissionSet.Id, 
    AssigneeId = automatedUser.Id
);

insert pemissionAssignment;

The code above assumes that Automated_Process permission set exists in the org. This can be used also for any CI automation when creating a scratch org where the class access or some other permission is needed for the Automated Process user.

Hope this helps little bit and would be interesting to see if it might solve the VF email templates access permissions, please let me know if you have a chance to try it.