This seems like a fairly brute-force policy management approach that has the shortcomings outlined in this article from TailScale: https://tailscale.com/blog/rbac-like-it-was-meant-to-be/

What happens when you have sweeping changes to existing policies? It seems like you have to chase down every other line of DSL and fix policies individually.