Good catch, I think that built-in data filtering can actually be a good addition to this new standard. I imagine a rego rule in OPA (or any other policy language) can accept the result json and modify it in place before sending the sanitized/filtered response back to the frontend client.
This is not very performance efficient though - maybe if the source api supports it, the proxy can inject filters (via headers / query params) to the modified request based on the authorization policy.
It's always a valid choice to build your own, just not cost-efficient for some. It's considered safe to use cloud authentication providers like Okta, Auth0, etc as well as cloud billing providers like Stripe, etc.
An authorization proxy is quite the same, and I would argue that for some teams is much safer to use than building your own AuthZ. Broken access control is the top OWASP risk for a reason (i.e: implementation complexity)
This is not very performance efficient though - maybe if the source api supports it, the proxy can inject filters (via headers / query params) to the modified request based on the authorization policy.