A very quick update to help someone else who comes across this issue.

When using Laravel Resource Controller with a Policy targeting the User::class model, it's incredibly important to update $this->authorizeResource(...) to use the name of the policy attribute name rather than the name of the controller attribute.

An example is given down below:

Do not do the following if you're implimenting a UserPolicy.php. This is dangerous as it's the default in the Laravel docs:

class UserController extends Controller
{
    /**
     * Create the controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->authorizeResource(User::class, 'user');
    }

class UserPolicy
{
    use HandlesAuthorization;
    
    public function view(User $user, User $model)
    {
        return $user->uuid === $model->uuid ||
            $user->isAdmin();
    }

Instead use the following:

This is due to the fact that your Policy's target Model is labelled User $model instead of User $user.  

class UserController extends Controller
{
    /**
     * Create the controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->authorizeResource(User::class, 'model');
    }

Hopefully it saves someone an hour or more ❤️