When checking the permissions of a user on a project, all the permissions granted on all projects are loaded in memory. That was initially done on purpose in order to speed-up consecutive verifications on other projects in the same HTTP request. That does not make sense now. The web services involving multiple projects usually rely on the authorization mechanism implemented in Elasticsearch indices. When it's not the case, they should check permissions of the specified projects in a single shot.
That implies to drop the method AuthorizationDao#selectAuthorizedRootProjectsUuids().