Want to confirm a few things with ‘A’:MongoDb’s Query Roles (document & field level permissions) versus ‘B’: the Realm Sync Permissions:
(Understanding that ‘Collection Rules’ do not work when Realm Sync is on)
Confirm that ‘A’ is subject to same Realm Sync restrictions as ‘Collection Rules’ (meaning can’t have both)?
Does ‘A’ apply to Realm App’s end-users, system users or both (another post suggests system users)?
Does ‘A’ allow to modify (dynamically) permissions on the fly via Functions, Change Streams and/or some other way (if so please explain)? -and if so (and different than Collection Rules), will those changes affect data downloaded to a device (e.g.: remove data if permission is removed)?
If you enable sync you will not have access to MongoDB’s query roles - only the sync permissions are available. If you don’t enable sync then permissions are determined on connection, when a session is established, with a new GraphQL or MongoDB query command is sent. There is no data to be removed because data is not persisted with non-sync. Permissions can be more dynamic if you use a function for either sync or non-sync - that way you can put your permissions in a document stored on Atlas and query that document when you call the function in permissions.