ABAC - How does the PIP access the object data?

Question

I'm working on a project that requires Attribute Based Access Control (ABAC) and is based on a modular monolith architecture.

If the parameters from the API request are not sufficient to decide a policy the missing attributes need to be provided. For example a policy says "object can be edited if created by the user". For that policy the object or at least a "createdBy" property needs to be fetched first. The recommended architecture uses a Policy Information Point (PIP).

It serves as the retrieval source of attributes, or the data required for policy evaluation to provide the information needed by the PDP to make the decisions.

All the articles and papers I read just say that the PIP retrieves the attributes. This is not trivial and it raised many questions in my head. I'm so surprised that I couldn't find any information about how that works in practice.

How does the PIP access the object data?
I would assume that the PIP obtains the data through the regular APIs for each bounded context/micro service. If this is correct, does the PIP call the regular API endpoints

e.g. GET api/orders/{orderId}?fields=createdBy

or must the API provide special endpoints for the PIP?

e.g. GET api/orders/{orderId}?pipActivity=update

Fetching a new attribute with option 2 requires the PIP and the API to change together.

It wouldn't eliminate that issue, but in a modular monolith I could have the PIP functionality in the bounded context and fetch all required data before calling the access control system. Would this be an option for a modular monolith?

Are there any other common access pattern, like direct access to the data store?

Should the PIP honor eTags?