TBH we only ever had two levels but cache_peer worked fine for us. I can’t really remember running into many headaches with it. We were more concerned with auditing and caching than actively blocking which might be the pain point. We didn’t try to pass along user identities or define groups at the root level.