Checking permissions each time, in my opinion, is the way to go. Storing session values can lead to permissions mismatches especially in the period just after a change has been made.
I would say, though, that there is a specific element in the Server Actions called Security Restrict that allows you to set up a set of permissions (set it up in Gloabls > Security Providers > Users & Permissions)
Then you just need to add the Security Restrict step to each server action to protect it.
I doubt it will make any difference in terms of performance - maybe @patrick could add confirmation - but it should make creating the Server Actions a bit easier:
If you use it as server-side data on a page
If unauthorised (not logged in) it will redirect the user to the login page. For forbidden (not permitted) it can redirect to another page, maybe a landing page or dashboard.
Also worth considering is the Globals server actions - which run at the start of EVERY Server Action (be careful, putting too much in one of these leads to HUGE duplication of effort)
You could add a condition that if the identity is present, run a query to get the company id etc.
This would replace the library action requirement and be available in the picker for every Server Action file.