Access control to the documents in the system would be very helpful. What is done on my current project is to implement an interface that is called during all database operations and returns a boolean to indicate whether or not the document should be included in the result set. We have added some attributes/fields to the document to specify who should be able to access it, and we run through some business rules (ie. admin vs normal user, group belonged to etc.) to determine access.

The backend that we use currently provided the hook for us via the java interface for us to implement, and it is simple and effective. I can't see an application layer where munging of the queries or doing sub queries to be as clean or error free.