For performance it is always going to be faster to access permissions directly in queries, for instance to query for all the content in a content folder one has permission to read.
But for high-level checks on permissions on a single object yes, the Tcl API should be used.
If you want to play with the caching db_* code I wrote for Greenpeace I'll send you a copy. I don't know if it's the best way to cache a multirow but you can't beat "db_multirow -cache" for simplicity.
I would like to generalize that code a bit more so it could be more useful. Caching is easy ... the hard problem is synchronizing the cache with db contents in a reasonably easy-to-use way, and there's a follow-on relatively simple problem to solve, namely plug into the code that memoize now uses to keep cache contents consistent across a server cluster.
