Amazing, I was going to start such endeavour, Zanzibar is to me that best of the ACL system that I know of, from a theoretical flexibility perspective. However, I was thinking of taking the principles but actually represent the triples as RDF and use SparQL to represent policies, to use the power of graph engines rather than building my own triple store & query engine. Any reason you went for SQL storage and a custom query engine/language on top?
I don't work at ORY, but I do work on a Zanzibar implementation.
Basically, what you're describing is called "GBAC".
GBAC can be great if you need the full power of a typical Graph API, but Zanzibar-like services are focused on solving the problem of finding a path between two edges[1] and doing everything you can to optimize that operation for latency.
GBAC is flexible, but at the cost of performance compared to something more structured.
