Permissions like that are done on the project level, not issue type.

There is a request open to do permissions at issue level, but I don't think it's on the roadmap at the moment.

So, while there appears to be no way to do this on the surface, you can actually do it.  Obviously, there are add-ons which can help (Behaviours in the ScriptRunner add-on, Quisapps field security, etc), but natively, you could:

Set the permission scheme to allow the customers to attach and comment on all issues in the project.

Give tasks one workflow, and the other issue types a different one (or set)

On the NON task workflows, add status properties that change the permissions to dissallow the customers group (or role or whatever). 

If, for example, you have your internal users in the group "developers" and your customers are not in it, then you could say jira.permission.comment.group=developers