I think @michaelcompton explained it pretty good over here which helped me understand it better:
My example of the admin taking 20s whereas the user was taking 1s mainly deals with the above.
My admin token quantifies the results based solely on a value in the JWT without doing any query logic so we can evaluate the auth, then we stop there and never go to the DB
. However, the user token requires a database request to find out if the user has access based upon data in the database so we then run any remaining database rules in parallel
.
That about sums up the difference for me.