column-masks-reapplied-on-cached-results-for-immediate-revocation
When SQL query results are cached, column masking must be re-applied on every cache-hit retrieval — not only at query execution time. This ensures that role revocation is effective-immediately: a user whose mask policy changes gets the new mask on the next request even if the underlying data row is still in cache. Skipping this step creates a window where revoked access persists until cache expiry.