we're doing just the former. we replicate into spicedb from the other services where entities are held, and we really only use SpiceDB for authorization ("who can access what") questions