I'm working on a set of wireplumber rules, and one thing that I need is to restrict some clients to access audio sources from pulseaudio emulation (pipewire-pulse), thus forbidding them to record audio while still allowing them to play audio. I've been able to implement everything except one: the audio monitors of the audio outputs.
Currently I'm checking for all "audio/source" nodes with an ObjectManager, and for those clients that shouldn't get access to audio sources I call "update_permissions" with the "bound-id" property of the audio source. That works for "normal" audio sources, but the monitors of an audio/sink aren't listed there as sources, so this is not enough.
I tried adding an ObjectManager for ports, and there I am able to detect monitor and non-monitor elements. But removing access permissions to a client using the "bound-id" property of a port doesn't seem to work: running pa-info from inside the snap still shows the monitor sources.
How can I disable access from a client to the monitor of an "audio/sink" while allowing that client to send audio to that audio sink?