Thanks @bminer,
Authorization (especially revoking access etc.) in a decentralized system is indeed a very hard problem. The problem is, of course, much simpler when there is a central authority that can reject changes. Rejecting writes to a Yjs document is discussed here: "read-only" or one-way only sync
It is possible to implement your own user management in y-websocket and reject client-connections once access is revoked.
Herb Caudill is working on completely decentralized authorization management GitHub - HerbCaudill/crdx: CRDTs meet Redux: Conflict-free, replicated, principled state management.
CRDTs should be agnostic to authorization. This is something that the provider can easily manage. This is why this is not technically part of Yjs.
Thanks for linking the thread @bminer!