Policy security on multilevel relationships

I understand how policy works for users/:id, but I’m not sure how to handle it with multiple relationships. For instance, I have Users, Funds, and Companies. A user is always associated with a fund, and a fund has multiple companies. I want to securely display all the companies associated with the fund for a user. Thus, there needs to be a check when performing a findall of the companies, ensuring that only the companies associated with funds linked to the individual are shown. Does anyone know how to program this in the policies? Thank you in advance!