or would the approach be to check the

create

permissions on some

transfer

using authzed, and then it's the application's responsibility to enforce some notion of quantitative limits