Excellent breakdown of a problem that's becoming increasingly common in enterprise AI systems. We've noticed many teams focus on prompt injection defenses while overlooking retrieval-level authorization. The "authorization before retrieval" approach makes a lot of sense, especially for multi-tenant SaaS platforms where document access policies can vary significantly between customers. Curious how this approach performs when permission graphs scale to thousands of users and documents.