If I'm understanding this correctly, this would only be if you were building an IAM service that sat in front of SpiceDB and all the applications called into that service and not SpiceDB directly, right?

Platform clients talk to microservices, microservices talk to spicedb. platform clients never talk directly to spicedb. Taking the Bookstore service as an example, you might call SetIAMPolicy with a resource=shelves/mysteries, and bindings for some customer relation on the Shelf defintion in your spicedb schema. The BookStore microservice would take that IAM policy and update the tuples in spicedb using WriteRelationships after validating that the role in the Policy binding is a valid relation in the spicedb schema.

I was looking for something else and randomly stumbled upon this thread. Since this thread, Authzed has launched Fine Grained Access Management (https://authzed.com/docs/spicedb-dedicated/fgam) to granularly restrict tokens. Also, we're looking to implement multi part schemas in the near future (https://github.com/authzed/spicedb/issues/1437)