today i spotted to places in AccessControlManagerImpl, where i think the principal lookup could be omitted altogether:
a) AccessControlManagerImpl.getPrincipal(Tree) : called when building policies from the content -> principal is always created even if not known.
b) Util.checkValidPrincipal(Principal, PrincipalManager, int) : in case of ImportBehavior.BESTEFFORT the result of the lookup is ignored and the lookup could in this case be omitted.
stillalex, what do you think? If you feel this is worth addressing, I would create a patch.
OAK-8151 Let ACE.getPrincipal return principals obtained from PrincipalManager