not sure what you mean
an approach to limiting decryption access is per kind but a problem is that you can take an encrypted blob and make it look like something else by putting it in a different kind and with the p tag of the sender to make it appear like it’s an outgoing message + asking the ext to sign the only solution is indicating the kind and sender in the encrypted blob