I am convinced there's someone who thinks debuggable security policies are a security risk and deliberately designs security APIs to be as inscrutable as possible.