Hmm... I have two ideas.
- Simple: Add an option for forums where last post does not propagate to the parent forums. Admin-selectable by forum-id in the CP (bleh, it's a "hack" but it might work if you don't like my other suggestion...).
- Hard: Why not just join the row from the posts table back to the forums table... then to the auth_users table... where option_id is whatever one you've chosen to represent "can read forum" (if I'm understanding the new permissions stuff correctly, although by the looks of it perhaps you already have this information cached in user_permissions field of the users table hence in $user->data?). If the user can't read the forum, then simply display the word "Private" where the last post would otherwise appear. Yeah, it's a bit more complex, but it should be cross-db compatible.
Otherwise, why not just tell admins not to put private subforums within public root level forums if they don't want last post being shown. Would be nice to have the option.
Not to annoy either, but have you considered including post_subject or topic_title in the last post column on the index page?
On my board, I just do something like this... a couple of extra bits to the SQL query, then:
$last_post_subject = $forum_data['post_subject'] != '' ? $forum_data['post_subject'] : $forum_data['topic_title'];
$last_post_subject = strlen($last_post_subject) > 25 ? subsr($last_post_subject, 0, 22) . '...' : $last_post_subject;
Then the topic length doesn't get nasty and mess up layout. Only trouble is having to check for HTML special characters, but this can be managed by a constructive use of htmlspecialchars and str_replace.