I think our primary complication is that the permissions inherit down our resource tree, so I would expect that we would need to separately maintain the tree structure rather than passing it with each request (I don't think that's scalable with our dataset, 1000+ items to be evaluated). I did see some kind of tag parent structure in the docs but haven't made it back to that page yet.