Yes, if you wanted to do this, you'd have to make a custom policy assertion.
(Note however that we don't expose the ReaderQuotas in metadata because we intend to treat them as a local decision - the quotas are used as throttles to help prevent various kinds of DoS attacks. So I would be wary of doing this, because you are effectively trusting the server to give you metadata that describes how to configure some aspects of the client's local security.)