Just to close out this question and answer the below,

God no! I am not using an email hash as the only thing that authenticates a user. I am using a pair of an access token and a refresh token to authenticate users. Both are signed by different, randomly generated, keys and verified by the middleware in every request to a protected route. Both have expiry times, the access token having a very short and refresh token a bit longer lifetime and I keep track of the refresh token family in case a consumed refresh token is used. In this case I invalidate all tokens, because someone is trying to use a token that was probably scraped by a hacker. For anyone that might be interested in a more detailed explanation, check out this article: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

The original question was just concerning access to a part of the DB, but as was commented on my initial post, the client shouldn't (and won't) be used as a cache. Instead, the DB will be queried directly.

What I mostly wanted to know was the answer by CBHacking in the first three paragraphs (before the However). I wasn't sure how secure salted hashes really are and now I know! :)