In the attached script, the second insert into t2 (as part of the CTE) should succeed. My actual use case isn't much more complex; the function is used primarily to allow peaking at columns that the function definer has access to but a typical user does not. Function also makes it easy to copy this policy to a number of structures.
The function within the policy doesn't seem to be able to see records inserted by earlier statements in the CTE. Perhaps this is as simple as adding a command counter increment in the right place?