ACLs are easy to treat as a pure security feature and forget that they also sit on a hot path.
When an instance loads a form, renders a list, or reads fields through server-side code, ACL evaluation can happen many times. That is why small misunderstandings in ACL design turn into both security confusion and avoidable performance cost.