Currently the check whether a user as a super user in SimpleAclAuthorizer is performed only after all other ACLs have been evaluated. Since all requests from a super user are granted we don't really need to apply the ACLs.
I believe this is unnecessary effort that could easily be avoided. I've rigged a small test that created 1000 ACLs for a topic and performed a million authorize calls with a principal that was a super user but didn't match any ACLs.
The implementation from trunk took 43 seconds, whereas a version with the super user check moved up only took half a second. Granted, this is a constructed case, but the effects will be the same, if less pronounced for setups with fewer rules.