What you mentioned makes it so the token is read-only, or I use the User directly. I could see us having multiple different token restrictions, or maybe even making it customizable.