#when you are doing the "use C# code to

In general, the default player policies let players do most operations related to their own data. This includes player name, economy, cloud save. There are some nuances based on each feature but that's the general default for historical and backwards compatibility reasons.

Access control lets you tighten these rules to improve security.

Non-player based authorization flows enable acting on behalf of players / server-authority, either for your backend, a game server or serverless functions. (service account, multiplay, cloud code)

This is what we support at this time

There is currently no support for setting limits to reaching endpoints.

is this planned for the future?

Not to my knowledge.
Guidance for now is to use one of the server authoritative flows if you need more control

from the point of view of what access control lets you change, are all of the default policies authored somewhere in UGS's ad hoc json policy language (i.e. like AWS built in policy objects) and available to browse?

so for example, can you introspect in the form

for the player role, what policies are attached?

and you get a list of policy names aka something you can use to get a list of ad hoc UGS policy JSON documents?