The Context only has a !PermissionCacheProxy for conveniently delegating calls to the actual cache. There, the permissions for the user are looked-up at most once for each context.
In order to differentiate among different "indirect" resources (e.g. attachments) that can share the same (realm,id), a new `Context.permid()` has been introduced. The default implementation should be enough to provide a unique key for the resource in the permission system. In the case of attachments for example, that key can be augmented by the parent context's key.
