Using views is a good practice anyway as you do not tightly couple your API to your schema. It's been a few years since I used Postgrest (and to be fair I had no write scenarios to cover) but I do not remember it limiting what security capabilities you have on Postgres. Needed a bit of a setup, but nothing terrible. If row level security does not cover your use case you are down the path of custom development anyway. My advise, be careful, this is a bottomless pit, with special combinations/overlapping rules etc. Go with a rules engine, prolog/datalog style would be my path.