So far, the only issue I have hit with this approach is that policies are only applied to controllers, not views.
So, if you call a route that is not defined (404), the policy will not be called and an error will be called in the layout.ejs.
This produces a 404 correctly , but the page is blank, leaving visitors confused.
Even if I define a default to substitute for the value that was supposed to be set in the policy, the 404 page will still be incomplete.