How does your example prevent someone with access to your meteor server from bypassing your custom permissions? My understanding is the code in question runs on the client.
I think the code runs in both places. In the client, it describes the messages it will send, and in the server, it describes the messages to expect. So the server still verifies that the database requests are only permitted ones.