i figured it makes the most sense to just use OCM as the underlying mechanism, because nextcloud already implements and uses it. luckily in the case of federated sharing the system doesn't really work like a distributed system, because there is always one node that has the correct data (the node where the share was initiated from) and the others just follow it. the data getting out of sync is not really an issue, especially because security relevant things will always be delegated to the origin instance, thus not relying on trusting other nodes to apply the restrictions correctly.