Out of the box , everything is very flexible.
I refused only the Policy generator, and all validations through the Gate contract in the FormRequest in the authorize method.
Somehow it all works out.
// form request

<?php

namespace App\Http\Requests\User;

use App\Models\User;
use Illuminate\Contracts\Auth\Access\Gate;
use Illuminate\Foundation\Http\FormRequest;

class DestroyRequest extends FormRequest
{
    public function authorize(Gate $gate)
    {
        $id = $this->route()->getParameter('user');

        return $gate->authorize('destroy', User::query()->findOrFail($id));
    }

    public function rules()
    {
        return [

        ];
    }
}

<?php

namespace App\Http\Controllers\Api;

use App\Contracts\IUsersService;
use App\Http\Controllers\Controller;
use App\Http\Requests\User\DestroyRequest;
use App\Http\Requests\User\IndexRequest;

class UsersController extends Controller
{
    public function destroy(DestroyRequest $request, $id)
    {
        // do stuff
    }
}

<?php

namespace App\Policies;

use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    public function index()
    {
        return true;
    }

    /**
     * rbac:user.destroy
     */
    public function destroy(User $user, User $entity)
    {
        if ($entity->hasRole(User::ROLE_ROOT)) {
            return false;
        }

        return $user->isEditor();
    }
}

https://cartalyst.com/manual/sentinel/2.0

Use https://github.com/Zizaco/entrust
On the latest versions of Laravel, there may be an error, you need to manually register the user table in the migration.

You can try this option https://github.com/itstructure/laravel-rbac