SpiceDB (and the zanzibar system it's based on) is intended to scale to billions of relations with high write and read throughput. it's optimized around representing things as relations, so that's where I would start. for the search question, I'd recommend having a look at https://authzed.com/docs/spicedb/modeling/protecting-a-list-endpoint. it basically comes down to pre- or post-filtering, or using our Materialize service. we're also in the process of figuring out a set of best practices for ACL-aware search at scale. the current most-promising approach appears to be using Opensearch's support for roaring bitmap filters together with streaming computed Materialize permissions into the instance. we haven't built a POC of this yet, though. i'm not sure I entirely understand your alternative, but I don't think it will scale particularly well if i'm understanding it correctly. caveats are more of an escape hatch compared to relation representation, they can't be cached as well, and I'm not sure what the performance implications of a large caveat context blob are. it'd also help to have more concrete examples of your use case - are users authorized on objects according to attributes?