Verify access right only for RPC

I do not understand. On contrario the proposal makes the design much more explicit and simple.

As I already said this solve nothing. It is exactly the same as what we have now.

The discovery of what is created/modified by the request.

This is already what we do now and it is complex and poor performent as we need to switch context in many placed.