When working with Drupal entities, many developers assume that access control “just works.” This is only partially true. Drupal does provide a robust access system — but only when you interact with entities using the Entity API.
However, if you run raw SQL queries, write custom EntityQuery logic, or misconfigure Views, you can accidentally expose sensitive content to unauthorized users.