column-masks-reapplied-post-cache-defense-in-depth
RLS column masks are re-applied to QueryResult cache hits at read time, not just at query execution time. This ensures role revocations take effect on the next request even if the cached result was computed under a more permissive role. Cache invalidation on role change is expensive; re-masking at retrieval is cheap and correct.