I'm about to add security to my Grails App, and I'd like to know from your experiences what's the best approach:
I suggest you use the http://grails.org/plugin/acegi plugin and add properties to the User class if they are directly related to the concept of an account and where it makes sense to have them loaded every time you access the user.
Remember that the user object is going to exist in the session for as long as a user is logged in and this means that it will become disconnected from the hibernate session (you can't just call save on it) and will also need to be serializable if you cluster the app.
I would not add phone number or address to my user object but I might add email address (you'll probably have to search users by email at some point) or a link to a profile picture (as you might be displaying this all over your site and not want to keep loading it).
I like to keep the user object small and avoid the temptation to add accessors for every table that contains a user id.
We are using a data model that has separate domain classes for Phone, Address and other related properties and associate them to the User domain using lazy loading. This accomplishes the accessibility that we needed while keeping the object size under control.