Granular Authorization by Content Item (not just CollectionType)

Hello, I am looking into using Strapi as our content delivery as part of our wider API for customers. I have a question that’s come up that doesn’t appear to be answered elsewhere in the forum (at least form my searching).

One wrinkle to our content is we have many different trees, one for each product, and content may be shared across these products. So a particular item is only accessible to certain set of customers who have purchased content. i.e., user A has purchased product A, so can access a tree with root item A, but user B, who has not purchased that product, can’t access the tree with root item A. However, if user B has purchased product B (with a different content tree with root item B), that tree might contain some of the content in product A’s tree.

Essentially, what I’m looking for is a way to be more granular with RBAC - not just to the CollectionType-level, but to the Content-Item-level. What I’m thinking of at the moment is creating roles like “Product A User”, “Product B User”, etc., that all access the content specific to their product, and then using OAuth from our API to let users access the tokens for the Strapi roles relevant to them.

Is this type of architecture compatible with Strapi pretty easily, or at least “batteries not included”-level of simple? Or would I have to be looking for a custom plugin or possibly another CMS solution entirely that does this?

Thanks for reading!