Discovered in Commerce: #3003105: The views bundle (type) filter shows items that the user doesn't have access to.
The offered bundles are not filtered for access:
public function getValueOptions() {
if (!isset($this->valueOptions)) {
$types = $this->bundleInfoService->getBundleInfo($this->entityTypeId);
$this->valueTitle = $this->t('@entity types', ['@entity' => $this->entityType->getLabel()]);
$options = [];
foreach ($types as $type => $info) {
$options[$type] = $info['label'];
}
array_multisort($options, SORT_ASC, SORT_REGULAR, array_keys($options));
$this->valueOptions = $options;
}
return $this->valueOptions;
}
This means that the user sees options that always result in no results (assuming query access filtering is performed).
I am proposing that we filter by view access.