Apply Permissions to Assets/Asset Collections in BE


does anybody have an advice or even have experience with this topic:
I need to apply permissions to assets and/or asset collections in the backend’s media browser.
This means: a backend user has a role assigned and this role should only be able to view one or more selected asset collections (e.g. identified by title or identifier) and view/manage assets within it.
The current challenge for me is the asset aspect; filtering collections by entityPrivileges in policy.yaml is not so hard to do. But the m:n relation between assets and collections is giving me a hard time… there seems to be no matcher for this relation type.
How would you approach this…?