Noob looking for some guidance on Document level secure index

Hi, I searched around (including API) to try and find some recent direction for supporting secure search based on document level access control. (I expact a ton of people have asked the same question... just could not find a recent doc/thread (maybe I just missed it)

Background:

I have a collection of document trees. Each document is accessible by a list of users.
I would like users to be able to search the following ways:

  1. within a document that they have access to - for example I want to find the word "Sydney" within the tree. Users who do not have access to this document should not be able to use this index or see search results.

  2. site wide: across documents a user has access to. For example, I want to search across all my documents for a tag #surf and see all documents that have been tagged with "surf"

There could millions of users and millions of document trees. I expect each document tree could have thousands of nodes. ... For example you can comment on a document and there could be thousands of comments on a document.

What's the best way to implement this with Elasticsearch (I am planning on using Found to host it)?

My current thought was to have an index for each document and then somehow only allowing users with access to that document to use the index. I was not sure exactly how to prevent non-authorized users from using an index?

For the sitewide search, I am not sure how I'd aggregate all my document tree indices together, perhaps a user index ... but that would seem like a huge duplication of data.

Anyway, any guidance help appreciated.

Once solution is if you have control over the documents, you can use a
filtered alias:
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html#filtered

You create the index and documents are normal, but each document contains a
property/field that will determines which user have access to it. Each user
has access to an filtered alias, not the entire index.

The major downside is that it is difficult to add/remove users since each
document would need to be updated.

Thanks. Looking at that now

So how would you restrict access to "test1"? ie I see how you can filter by "alias2" but a user could still hit the "test1" index and see all docs they shouldn't, right? Is there some other way I should be restricting access so users cannot use "test1"?