At the current stage we have implemented gross grain control over the endpoints using pre-authorize spring security interceptors.
In many case the authorization are not simple access / deny, for some endpoints users allowed to access the endpoint should read only a partial object. This can apply both to the object that is target by the endpoint than other linked objects. Some examples:
The item endpoint should protect the dc.description.provenance metadata (or any hidden metadata) from "normal users", an accessible item should not list administrative bundle to normal users. On the collection endpoint the associated groups and policies should be hidden to normal users and so on