Why is access control a special case in Yada? Why not implement it, as the Yada docs state in “12.2. Declaring policies across multiple resources”, namely walk the routing tree with a function that augments the resources?

Or am I maybe misunderstanding 12.2?

I don't understand the question. We use clojure walk and bidi to achieve that now.

Thinking about it, I think you’re right, I’m mixing up things. Of course you can add :access-control by walking the tree. What I’m after is, why at all have :access-control, when it’s just a matter of sending back yet another HTTP status code?

There's quite a lot involved in access control. See the yada blog on authentication. Also, CORS pre-flight requests. Yada implements quite complex semantics from policy statements.