@SorinGFS, your observation The power of Strapi will not consist in what it is now, but in plugins and ready-to-use ORM schemas. has to be adopted as the Strapi team’s motto. The reference to WordPress further simplifies the adoption. Besides the RBAC implementation, this motto should be used in planning and implementing all future additions.
Saying this I am extending this discussion to include another “sore subject”, which is a huge issue for the Strapi team - just “google” the term strapi database migration issues. To be clear this issue can be more generally summarized as "bidirectional synchronization between the Strapi data model (as created and maintained by the Strapi GUI Builder) and the related database (see the “low level” discussion about this here: Database Migration / Deployment Questions. I am using the term low level because in this discussion people are using terminology specific to database migrations, while in my opinion the solution should be provided in terms of some intermediate representation which is then used for synchronization between the model (which is Strapi owned object) and a given database. Any direct approach seems to complex (see Migrate data from relational DB to NoSQL).
Now, back to Strapi RBAC implementation which has the same problem, described in the above paragraph. A few initial Strapi releases treated users the same way as any other content object, making it difficult to extract users to be handled by some IAM (Identity and Access Management) PaaS, like AWS IAM service. I had numerous private discussions with @DMehaffy (who is despite his youth incredibly smart and educated developer) about the better approach to add IAM support to Strapi. Yes, I admit using Derrick as the “sounding board”, knowing the Strapi core team is too busy to parse some ideas that are not in the current plan, even if that might result in forfeiting some good ideas.
Strapi’s way of adding IAM (without calling it that way) was by introducing RBAC, by first starting to handle users differently than other content, and then adding Role Based Access Control code as an integral part of the core code. (Who remembers wars with Microsoft when they took the position that Internet Explorer is an integral part of the Windows OS, and compare it with today’s situation where they licensed Chrome and renamed it to Microsoft Edge).
I could expand the RBAC implementation a lot further, but I already wrote a lot. @DMehaffy, please feel free to transform this text into multiple posts if necessary. I wanted to write this post maintaining the @SorinGFS “motto” defined above.