This is a very interesting idea and proposal, thank you!
The current access control implementation is very low-level at this point in time and it is not very suited for websites and apps with large amounts of users – but it is not set in stone, of course. Personally I feel that apps should have more freedom in defining their own rules in permissions handling but most likely that will require support for computation and custom logic for vaults.
But we have such thing as type tags in Mutable Data which can have special meaning and processing rules in Vaults – perhaps role-based permissions can work for certain type tags only, so a user will have a choice whether they want to have this network overhead or not?