Problem/Motivation
This was reported privately and the security team deemed it could be solved in public\Drupal\Core\Field\Plugin\Field\FieldFormatter\StringFormatter renders a link regardless of whether the user in context has access.
Steps to reproduce
Use a StringFormatter formatter where the related entity is inaccessible to the user. Presently, a link will be displayed. If the user attempts to navigate to it they may reach a 403.
Proposed resolution
MR 8317 is for 11.x
Display a plain text for the linked entity when the user in context does not have access.
StringFormatter already has a textual fallback for when the entity does not have a canonical template or link_to_entity setting is off.
Remaining tasks
Implement.
User interface changes
Text link may be displayed when user does not have access.
API changes
It may be necessary to install the user entity and add a default user for tests.
Data model changes
None.