Realizing that was the "aha" moment of Zanzibar and SpiceDB for me. From the New Enemy Problem blog (https://authzed.com/blog/new-enemies): > It turns out that nobody should really care if someone is given access to an exact copy of something that they once had access to. There is no new information to be gained. If they had saved a copy, or had photographic memory, the end state would end up no different. So the ZedToken only needs to reflect a change in the resource's contents itself, not every possible change to the permission hierarchy