I will leave it to @Joey for the real answer here, but yes your intuition is correct, you'll want to have your backend either re-expose SpiceDB as a new API (after verifying identity of the caller) or you'll want to just preload the right things and send them with the page context