1. you do one of two things, either getting a list of the IDs that a user has permissions on using LookupResources and use that as a

WHERE id = ANY([...])

clause or overfetch a page from the DB and then do a bulk check on it. this is less a property of rebac and more a property of a centralized authorization service. it's also more or less required in order to have resource-level authorization (rather than just saying "this user can see all of the resources of this type".