an alternative would be permissions post-filtering, where you load a candidate set and then check each item in parallel