You can implement your own authorization system. RBAC is optional depending on your use of the authentication methods on the api side, but as I noted on the web side, you would have to have a means of checking roles or permissions other than or in addition to the hasRole available check.
Redwood has not yet tried to implement SSE yet for the graphql-server or tried to use the subscriptions on the web side. As I noted, this is on the V1+ roadmap. SSE and other subscriptions however, would likely need to be done in a server-full environment.
Please see the deploy instructions for “baremetal” here: Introduction to Baremetal | RedwoodJS Docs
This was announced in the latest release notes: Redwood 1.0.0-rc.final is Available 🚀