I understand that each permission update causes 1 API call:
DataPermission.FIND.grantForUser(user1, object);
DataPermission.FIND.grantForUser(user2, object);
DataPermission.UPDATE.grantForUser(user1, object);
DataPermission.UPDATE.grantForUser(user2, object);
This is quite inefficient. My proposal is to attach an ACL to the object which is stored/applied as soon as the object is persisted (like Parse.com does).
Granting permissions to individual users is not efficient period - no matter what technology you choose to use. A better way is to apply permissions at the ROLE level and have users assigned to roles.
So if you have an object that is shared between two users, and therefore only they are allowed to update this object - how would you do it? I doubt you would create one role for every pair of users, would you? 
If you have an object shared between only two users, a question of “efficiency” should not even come up since you’d be performing between 1 to 2 additional calls for the second user. The user that creates the object would already be the object’s owner and thus would not require any additional requests.