The solution I came to was checking in the toWaterholeUser function before returning the PendingUser. If there is no waterholeUser then I add the waterholeUser with the proper roles based on the permissions from the regular application's "spatie/laravel-permission" system.
Looks good. Could you share your code?