I have used both relationships (TOs) and filters on portals themselves to limit the records viewed by users (and downloaded to the client). Both seem to work fine, but I've never bench marked to see if one or the other is better (or had much need to).
But I recently noticed that if I restrict access to records using FileMaker security, those records also don't display in a portal. Intuitively this seems to be a good way to limit access without having to implement anything in the TO or on the portal. For example, I only want a user to see invoices for their department when looking at the invoices portal of a client. Can anyone tell me if this has any disadvantages (such as slower performance)? Obviously this will only work where the "filter" is global and we never want that user to access the records.