First of all, congrats on this gem. I really think it's well thought and designed!
I was seeing your example and I think that the method destroyable_by? should default to updatable_by? instead of true like you show in your README example.
What do you think?
By default if only some users are able to update a record, only the same users are able to destroy it.
When I think in real-life apps I've made nobody without access to update an object has permissions to destroy that same object.