To make sure my site is secure and all the permissions are set correctly, I am looking for a way to generate a list of every page that a specific user has access to. (So... every menu callback where user_access() returns TRUE for a given uid).
Something that would look like this:
$user->uid == 0
Home
Photos
Contact Us
$user->uid = 23
Home
Photos
Contact Us
Forum
Blog
etc.
This is not really feasible in Drupal, as there are no real pages from a System perspective, only callback functions taking arguments. To clarify, think of the standard path for node pages:
node/[nid]
This will accept an arbitrary integer for [nid] and then the callback function for the node/% path will try to find a node with a matching id - it is only after looking for it that Drupal 'knows' if the page actually exists.
The same is true for all other paths, so basically you are looking at an (almost) unlimited number of potential pages, with no way to know, short of testing the paths, if they actually 'exist' or end in a 404.
What you could do is taking a look at the menu_router table. There you'll find all the registered paths, along with their callback and access_callback functions. For those you could do the checking per user, but the result would be hard to interpret, as the paths are plenty and will contain many placeholders.
A similar option exists if you use URL-Aliases/pathauto. Then you could take the url_alias table and do the check for all the entries in there. But since you are interested in securing your site, this will not really help, as you would miss any path that does not have an alias - and as said above, these are countless.