We haven't really figured out yet what concepts the authorization model should be based on. From my point of view it should at least be based on device ID and Tenants. Whether this will be mapped to topics is a question of the particular underlying messaging infratructure used, e.g. if we use RabbitMQ or Kafka a "Tenant" might indeed be mapped to a "Topic". However, a clietn connecting to Hono should not bother with Topics but instead use the higher level abstractions provided by Hono, in this case a client should be authenticated as belonging to a particular Tenant and hence be authorized to access data from devices belonging to that Tenant.
Whether the user/device registry will be extensible is a question of whether we see any use cases that would require it to be, I guess. So far, I have no such use case in mind but that's why we are interested in attracting more people to the project who can bring in new use cases and ideas :-)
If by "injectable" you mean "can be integrated with" then I think the answer should be "yes". It would be nice if Hono could be integrated with e.g. OAuth or maybe SAML or any other token based auth system. Do you have experience in this area or anything particular in mind? We could sure need help in that area :-)