People do both, though I recommend using it as the primary source of truth. The users who don't have SpiceDB as a primary source of truth typically come from a place where they are already storing authz data in relational DBs, and migrating app code to write to SpiceDB is a heavy lift. Users that don't have SpiceDB as a source of truth will typically use CDC to write data into SpiceDB. It's important to note that using the CDC approach does not have the same consistency guarantees that writing directly to SpiceDB does.