Until Drupal 9.2, if ::accessCheck() is not called then the query would default to checking access, i.e. behave as if ::accessCheck(TRUE) had been called. This behavior has been the source of many bugs, as it is easy for developers to forget that this happens.

Not calling ::accessCheck() has now been deprecated, and all entity queries on content entities should always include an explicit call to ::accessCheck() prior to the query being executed. For Drupal 10 this will be enforced by throwing an exception if ::accessCheck() is not called.

Example:

BEFORE

// This gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
  ->condition('type', 'article')
  ->execute();

// This also gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
  ->accessCheck(TRUE)
  ->condition('type', 'article')
  ->execute();

// This gets all articles that exist regardless of access.
$ids = \Drupal::entityQuery('node')
  ->accessCheck(FALSE)
  ->condition('type', 'article')
  ->execute();

AFTER

// This will trigger a deprecation error.
$ids = \Drupal::entityQuery('node')
  ->condition('type', 'article')
  ->execute();

// Unchanged: This gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
  ->accessCheck(TRUE)
  ->condition('type', 'article')
  ->execute();

// Unchanged: This gets all articles that exist regardless of access.
$ids = \Drupal::entityQuery('node')
  ->accessCheck(FALSE)
  ->condition('type', 'article')
  ->execute();

Source: https://www.drupal.org/node/3201242 

 

Saved you some valuable time?

Buy me a drink 🍺