One to many relation and cross permissions

Not currently no, that’s something that would require a custom controller to handle (checking the ctx.state.user and sending a different populate array to the service.)