Document additivity of policies/permissions in Restricted Access

Because we're using SpiceDB, each policy represents a means by which a subject could have access to a given API. This means that if you have multiple policies applying to the same service account, they behave additively, as though it's the union of the permissions provided by the policies.

This is something that isn't immediately obvious, so we should document it.