Authorization is really about "defense in depth". In a ZTA model, your access proxy, authentication system, API gateway, application middleware, and data layer all provide additional levels of protection [0].

Using your DB's row-level security for data filtering is definitely complementary to API authorization.

[0] https://www.aserto.com/blog/modern-authorization-requires-de...