Can expensive write-related ACL checks somehow be avoided when a client only wants to read?