Yes, this is what I realized too. It is why EACL is embedded in the application layer instead of trying to run in a layer above it. To do authorization properly, rules need to be embedded alongside the secured data and decision code needs to run next to application code.