Yea, I was thinking worst case when the filter was likely to return way more than you needed. Like a common query is to fetch all "running" workspaces. Most workspaces are running, so step 1 will return 1k, but you might not be able to read any of those. So you end up fetching the whole set anyway. I haven't done the benchmarks, so I don't know what the performance impact will be. I'm in an unfortunate position that the graph nature policy solves a ton of our annoying permissions. I've optimized our current rego page for all the listing pages, and people have come to like it 😆. This is kind of the last roadblock as far as "required features".