in that case you're deciding that not only is direct access risky, so is indirect, and so to cover all your bases, you'd always update the zedtoken at the top level and use it for checking to guarantee your permissions change is reflected before you update the sensitive content