Let me know if I've misinterpreted the use of your tool or if I'm very far out of scope.

I want have access controls on subsets of map data e.g. layers. I want to continue to use efficient calls to grab only the data relevant to a particular part of the map.

For example, only people with the "utility worker" role can see the "pipes" layer and only people with the "teacher" role can see the "schools" layer.

One implementation I had in mind, if this makes any sense at all, is to have each layer as their own pmtiles file sitting on S3 instead of all being together in one file e.g. one file for "pipes" and one for "schools". Each file would still be accessed with range requests. At a given zxy, the browser pulls a range from N files using N calls, getting a 403 on any layer the user can't access. I could then render only the information on the map that was pulled from the files the user was allowed to access.

I don't want to create a new pmtiles file each each combination of layers because there are an exponential number of combinations possible.

The IAM access stuff is straight forward enough. Is there a way to have access controls on subsets of data but called using all of the efficient encoding of PMTiles? Is there a much simpler way I've overlooked?