i agree that i wouldn't reach for caveats for this - caveats are intended to provide some ABAC flexibility but they won't be performant as the core of your authorization system