Hey there. As mentioned above, permissions with custom user data does work, and is the correct route to go if you want to restrict access based on arbitrary user fields. The issue outlined above revolve around changing custom user data and expecting permissions to get updated.
As suggested above, if you want this behavior, you must stop and restart the sync session - the easiest way would be to use the session pause/resume APIs as outlined above.
The collaboration approach suggested in the official docs does work given the above caveat.