its generally prefered to model everything as one combined permission so that the calling application does not need to have this domain knowledge. that being said, it is ultimately your call: while SpiceDB can handle the relationships without any issue, sometimes it might make sense to make distinct permissions checks if the numbers are truly large