Apply new permission model to existing entities

In #2160 we talk about implementing the API for the permission model described in #1785

This issue captures the work of actually applying that permission model in various queries.

This will be a series of PRs for various endpoints (it may end up making sense to make sub-issues as that work is being done, in order to better track it).