Hey there @aaron.hardy apologize for the delayed response on this one!
The joining of permissions is taken care of by RBAC either outside of the context of an organization (multiple direct roles) or within the context of an organization (multiple roles assigned at org level) but not both as you’ve discovered.
What might be an option, is to rely on the permission array added to the Access Token from a login within the context of a Organization while using the management API to get a user’s direct roles and add those in a separate custom claim. You should be able to infer permissions based on the roles. This does however still require a call to the Management API:
This could be a good candidate for a feedback request as I totally understand where you are coming from.