How to limit access to associations / relations with User & Permissions plugin, is it possible?

Say I have a content type called Books, with a relation that a User has many Books. The User comes from the User & Permissions plugin. When my front-end authenticates that User, I get a JWT and I can use the Strapi API to retrieve content, per the Authenticated role (by default). If I give this role access to Books, then any authenticated user can see all Books, even ones that do not “belong” to them.

Is there a way to set up the roles and/or other permissions to scope access to the Books, so only the User who created the Books can see his/her own Book records?

This topic has been created from a Discord post (1214413952289738853) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

I have since found that the way to do this is with policies and/or middleware. Specifically, the developer documentation states: