I personally haven't used oauth systems like keycloak for authorisation policies, but instead I've used scopes in the bearer tokens for this high-level access control.

Each ingress gateway (and even each micro service behind that) has an "applicationName-r" and an "applicationName-rw" scope for read and read-write access.

Usually that, plus the user context (subject) on the bearer token is enough to make good access policy decisions inside the target application.

One (maybe naive) criticism I have of central auth policies within keycloak is that the constant traffic to the policy server sounds impractical for scaling, and if you need more than the RBAC-style logic already provided by scopes then you are necessarily mixing domain and business logic into your author server.

But maybe I am missing some patterns that make these concerns invalid.

I do see that centralizing this can be helpful for auditability and observing access.