My current approach is, do what it does now for writes (whitelist/payments) with the addition of auth in the coming months, it can also control reads with these same rules. I will also add fine grain acls for kind lists. This should cover everything I can think of. (DM circus and all).
Discussion
yep, that's what i'm in the process of building... i also have already got a failover for auth to use it as a secure CLI via DMs, which is part of where my irritation with the lack of NIP-42 comes from - if no NIP-42, then i have to build out a whole second channel to enable secure administration functions and i just refuse to duplicate things for no reason