I’m curious here why you are doing a query since if you console.log(ctx.state.user) it should contain all the user information you need (including the id). But you are missing a filter, the ctx.state.user contains the users information based on the JWT they supplied (if they supplied one, else the request is public). But you need to inject the filter.
I wrote a sample policy that was for controlling access to a content-type based on which organization a user belonged to (this is an older example and the code sucks but it’s there to prove a point, don’t do what I did here and loop a bunch of different checks into one policy. It’s better to have multiple policies)