Currently, when e.g. a connection in Ditto's "connectivity" service subscribes for "thing events" (modifications) to publish to e.g. a Kafka topic, it will receive all the events which the configured "authorizationContext" subject is allowed to "READ".

So it will receive all events and then apply the optionally defined RQL filter statement as well as the defined namespaces (also as a filter criteria).
The RQL filter cannot be filtered on pub/sub level, however the namespaces could be.

In the best case, the namespaces (if defined) would also be used when subscribing via Ditto pub/sub to the internal topic and a connection which e.g. is only interested in events of namespace foo would not get notified about events in namespace bar, even if it would have READ permissions for those things.