The same retrieval, two ways — permissionless (Security Admin, left) vs permissioned (the scoped Query Agent, right). Change the agent's grant on context_runtime.vulns below and the right column re-slices live: withheld hits are dimmed (row scope), masked fields show as •••.