If you used zedtoken1 it could return “has permission”. Using fully consistent will get you the answer that you want, but at the cost of performance. The general recommendation is to store zedtokens alongside content, and only update the zedtoken when the content changes. Thus, the particular sensitive version of the content will be protected, regardless of what mutations are happening to permissions outside of that.