This looks like a bug, since the auth provider should be consulted for every node accessed. Can you create a bug report in JIRA? A simple test case that replicates the problems would save some time and would be a big help, too.
Actually, if you're ambitious and want to try and tackle the fix yourself, please do. We ALWAYS welcome pull-requests.
Raised [MODE-2225] Custom AuthorizationProvider is not invoked for each child node when iterating through the child nodes of a … as requested. Further discussions around this issue can be found in the JIRA's comments.