I disagree with authRole, as that assumes we want to always control the query by a role. It could be any variable that means anything in JWT, as many projects have different needs.
However, I strongly agree with this and find the auth rules very bulky and hard to keep track of. My suggestion would be to have auth rules separate from the schema.
There are also no validation rules, as you have to use custom lambdas to keep track of this until the day where validation rules are available. My suggestion would be to somehow merge the two together auth rules and validation rules into something similar to firestore rules:
Here you can see an example of how this works:
Firestore Security Rules Cookbook
This is a must for security.
J