I think maybe the reality is that the full way to authorize a user for an action always has to be between multiple systems anyway, whether it's a bit of extra application logic before or after the spicedb API call or even sometimes at work we'd even have to issue an http call to a 3rd party service to know whether they are authorized to perform a certain action.