When Confluence checks permissions at the group level, it retrieves all the groups a user is a member of, then looks for a matching permission against each of those groups. This performs terribly when the user is a member of a large number of groups.

Performance would almost always be better, or at least be much more predictable if you grab all the group-level permissions for the space, then perform memberOf() checks against the user for each group. (Especially in situations like LDAP where memberOf() is really cheap, but getting all groups for a user is painfully expensive)