You are correct with the statements mentioned above. Since you are using a SPA, it is not recommended to pass the Management API access token to the app directly, nor decode it there.
The easiest approach would be creating multiple roles with the intended permissions and add then to the ID token via custom claims using Actions. You can also check out this related Knowledge Article since it provides links to different helpful documentation articles on the matter.
This might not suit your particular use case, but permissions can be leveraged using the Management API inside Actions, as detailed here.
Even though it might require more work, in order to use the Management API endpoints from the application side, as you have mentioned as well, it is considered best practice to proxy the search request from the SPA through your backend via a new search endpoint. This would be the secured recommended approach. The solution on this community post provides a detailed explanation.
Hope this helps!
Best regards,
Remus