ERC20 methods require ownership of tokens from another ERC721 contract

Say I have an ERC721 contract A deployed and all tokens are minted to max supply. Now I want to write an ERC20 contract B that has some methods that require only owners of tokens in contract A can call.

I'm thinking having an address property of contract A in contract B, then call ERC20(contractAAddress).balanceOf(sender) which should returns non zero if the sender address owns any token in contract A. Is there any issue or security concern with this approach where sender can somehow bypass the require check?

Also, how can I check if a sender to a method in contract B has which tokenId of contract A? There is an ownerOf(address) method but it will require looping through all the token supply to find out on each call. Is there a more efficient way?