PAE is invisible to user space, it only affects the physical addresses that can be mapped. So you'll usually either use PAE in all processes or not at all.
Yes, after you unmap a page you have to invalidate it on all CPUs. OSes generally use IPIs to inform other processes that pages have been unmapped. Invalidation is not a security measure but it is required for correctness: Imagine the following situation:
- Threads S and T both share the same address space but run on different CPUs.
- Page P is mapped at address A.
- Thread S unmaps P and invalidates only locally. Page P is freed.
- The page P is reallocated and mapped into a second process.
- T accesses address A. Because its TLB still contains P, thread T can now manipulate a different process' address space!
The correct solution is to unmap the page immediately but only free it after all CPUs have invalidated it.