Good question. There's a few things going on here. If a brand new user comes and you store his initial permissions and also setup the web hook to get updates on user permission changes (such as if she removes offline_access from facebook.com/settings/?tab=applications) then you can just query your backend (which would store this somewhere). Then you won't ever have to do this.

What if, for example, this is a pure client side application that doesn't store anything in a backend database? Everytime a user comes to your site, you can check to see if local storage has anything sure, but if they're on a new computer or have cleared their storage, you're in the dark.

Oh, an edge case: If facebook doesn't call your web hook to update your db on the newest permissions before a user revists your site, you may have some bad consequences.

Another edge case: say you have millions of users, only 1000 regularly visit the site. You would have webhooks for a million users updating your backend, rather than just confirming permissions with facebook whenever they arrive to your site. The hop to facebook is probably just as fast, if not faster, than checking in with your own backend. Let Facebook take the brute of the traffic ;)