Interesting, I think you'd have to set the permissions on the documented as a single value of the combined permission attributes. Then make sure that single combined value is set on the user. It would be a little awkward, especially since I'm assuming there would be other attribute combinations from other documents to account for as well. However, it should achieve the requirement that the user have all permissions attributes, not just an intersection. This would probably require using a custom API source.
Elastic is introducing some functionality in an upcoming release that would let you selectively index a subset of content in case you would actually just prefer to index a more commonly accessed set of documents that aren't subject to complex attribute based permissions.