SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

I'm trying to make sense of the `ExpandPermissionTree` endpoint. I'd expect it to return all subjects who have the given permission on the given resource, but that doesn't seem to be the case: it returns a tree of set operations where the leaves are the subjects. That means that if I want to know which subject actually has the permission, I'd need to apply the operations myself?
For example:
```
$ zed permission expand caregivers_csv_upload agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad
agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->caregivers_csv_upload
 └── exclusion
      ├── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->account_manager
      │    ├── user:f71c18fc-fd2f-4a96-ab65-020cb00670c5
      │    ├── user:f9ed57f2-c881-4c3c-9fd5-f67043de3118
      │    ├── user:fdf84719-e48f-4637-b5c4-2efa32948602
      └── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->flag_rostering_integration
           └── user:*
```

There's an exclusion operation with `user:*` so I'd expect SpiceDB to tell me that 0 subjects have this permission. But nothing in the ExpandPermissionTree response seems to contain this information. Am I missing something?