diff --git a/core/modules/views/lib/Drupal/views/ViewExecutable.php b/core/modules/views/lib/Drupal/views/ViewExecutable.php
index 4ad1633f8bdf1be5d66c4fd9790b7fa7cf83be23..639cd92bbd0dc30cc2378e5b02b4c08bbd7c59fa 100644
--- a/core/modules/views/lib/Drupal/views/ViewExecutable.php
+++ b/core/modules/views/lib/Drupal/views/ViewExecutable.php
@@ -1384,6 +1384,11 @@ public function executeDisplay($display_id = NULL, $args = array()) {
    * To be called externally, probably by an AJAX handler of some flavor.
    * Can also be called when views are embedded, as this guarantees
    * normalized output.
+   *
+   * This function does not do any access checks on the view. It is the
+   * responsibility of the caller to check $view->access() or implement other
+   * access logic. To render the view normally with access checks, use
+   * views_embed_view() instead.
    */
   public function preview($display_id = NULL, $args = array()) {
     if (empty($this->current_display) || ((!empty($display_id)) && $this->current_display != $display_id)) {