The ReBAC approach for access control is the standout detail here — using relationship-based permissions instead of simple RBAC means you can model document ownership, editor invites, and viewer links as actual graph relationships. I'm going to look into how Permit.io handles permission inheritance for nested document structures.