I thought one of the principals of a dynamic website was to never display links that a user cannot follow. Another related principal would be to give a little more information on what the link might show, like the number of new posts in a link to a forum.
For a portlet, only links the user has privileges to view should be displayed, otherwise the user presented with 50 links, with a number of bad ones, might hesitate to click, fearing rejection. In other words, the links are pre-qualified.
The service contract idea for providing a url to linkable objects sounds great. I really do like it. Besides a tcl function, a wrapper in the form of a url is very handy.
My concern is with displaying information about an object in an unqualified way: just digging through the database, going around an application and showing information before security checks can be performed. This gets back to your main point: it is expensive to do security checks on a huge list of objects, and calculating the url is maybe worse or of the same magnitude. This is where application logic is important: providing a useful, secure and cheap navigation scheme for displaying objects. A portlet would presumably do the same thing, taking a user_id and providing qualified links, or object_ids and an object name or summary.
In the case of a forum portlet, probably only one permission check would be performed on the forum, and not on every thread or message.
I'm just wondering out loud here: what if the package developer could provide views? Instead of individual objects, for which a permission is checked, any whole chunk of useable data which could be tied to an object_id and permission checked with a user_id could be queried. For instance, in a forum package, besides the links to new messages or threads, you could provide a list of who posted the last few messages, kind of a whose on line. In this case the forum_id and the view name would be provide. Maybe that is what a portlet does, but my point here is that a single link to an object may end up being a little limiting. If you could specify a view, a series of urls that contain the object could be used. None of the urls would need to be specified ahead of time, just a link to the redirection url including the object_id and view. So the forum portlet, view as a whose on line, would return a series of user names and user_ids, and the view you should use to look a the user object. Maybe in this case the view would be of the number or list of posts to this forum_id by the user.
Now would a view need to be provided by the developer? Would a view need to be a part of the package that created the data? Not necessarily, maybe it would be better if views were separate packages: unmounted services. So anyone could create a view and distribute it. When you mount a package instance, you could establish which views you want to apply to that instance.