we're working on implementing "personas" in the context of spicedb and its schema. we chose to represent personas as a separate subject, and to define relations as potentially having either a user or persona subject:

definition site {
    relation accesses: user | persona

one of the constraints of personas is that a persona shouldn't grant access to an object that a user wouldn't otherwise have. the way we're currently approaching this is in calling logic, asking for

readPermissions

on both the persona and user and then returning the intersection of the results. I remembered that there's a way to express permissions as the intersection of two relations: https://docs.authzed.com/reference/schema-lang#-intersection. is there a way to use this to push this kind of logic down into spicedb somehow? otherwise my sense is that the way that spicedb works doesn't quite support this sort of constraint concept (which is fine).