Frank,
If we run acs_permission__perission_p on 10 objects, the results should be fast enough. I don't see any reason to add any additional security checks. Right now the code in tsearch2-driver does the OpenACS standard "if exists" where clause that checkes the acs_object_party_privilege_map and that seems to perform for the number of objects on a site such as OpenACS.org.
OpenACS itself does not need to support permissions systems that do not exist in OpenACS. Checking if the viewing user has read on the actual object returned in the results will always be sufficient.
I don't think there is any plan to defer permissions checking to a callback procedure, although in the case of project open, if you are doing the check in the Tcl layer, and need addtional flexibility beyond the OpenACS permissions system, a callback would seem appropriate.
There are .LRN installations with a greater number of objects than OpenACS.org and we will be testing the performance on that size system, so as we are developing we will have more accurate performance statistics to base our decisions.