SpiceDB checks involving relations with caveats can result in no permission when permission is expected