In AbstractEntityMatch#getValues, we perform permissions checks do ensure that we only return entities that the logged-in user is allowed to see (by virtue of being allowed to browse the projects to which the entities belong). However, we ignore the isSecurityOverriden()* flag on the QueryCreationContext. Code which sets this flag to true (e.g. Portfolio's IssueLuceneQueryFactory#getRelevantProjectIds) will often set the applicationUser to null, therefore we end up performing the same permission checks as we would for a non-logged-in user, which is of course wrong.
The fix is simply to skip the permissions checks if queryCreationContext.securityOverriden is true.
* Yes, that it how they spell it.