With the CacheUserProfileService in place, the only way for a user's profile to be evicted is that it reaches the maximum time to cache. But as Mark de Reeper suggested that may be a bit surprising for a webapplication user to logout from AM and then come back on an application and see that his profile was not updated !
If the CacheUserProfileService listens the sessions notifications, there it could evict the user's profile from the cache and then on the next access the webapp user will its updated profile.
Note that this is quite a workaround, as there is no notification sent by AM about user's profile changes. In a scenario where the route does not involve the AM sessions (SingleSignOnFilter or SessionInfoFilter) like getting the user's profile of an OAuth2 access_token's subject, this won't help at all.