yeah, specifying the policy also part of nip-11 as well, so a relay should be configured to telegraph to users what the policy is. this is too complex to use machine encoding. there is two parts. one part can be precisely described, such as event limits, event kinds, etc etc, the other half is the human-curated part of the policy. any rejection of query or event publish will specify the policy violation it invokes. you can be whitelisted to use a relay, but try to send events or queries that are forbidden by the relay, and it rejects them. so the ack is not a blanket permission, it is just an acknowledgement that the user has a role defined in the policy and they are restricted by the rules associated with the role. the ack's purpose is just to prevent the waste of bandwidth and improve that initial load time, which is important, in my opinion. well written clients will proactively query and cache results that the user will want to see, to further improve UX.