diff --git a/core/lib/Drupal/Core/Entity/EntityListBuilder.php b/core/lib/Drupal/Core/Entity/EntityListBuilder.php
index bc68e06eb2728012579c4a71e4b7760326bb3ece..7bbb3ae342f50fda1ce26fb68241a18029720fa4 100644
--- a/core/lib/Drupal/Core/Entity/EntityListBuilder.php
+++ b/core/lib/Drupal/Core/Entity/EntityListBuilder.php
@@ -95,6 +95,7 @@ public function load() {
    */
   protected function getEntityIds() {
     $query = $this->getStorage()->getQuery()
+      ->accessCheck(TRUE)
       ->sort($this->entityType->getKey('id'));
 
     // Only add the pager if a limit is specified.
diff --git a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php
index b66ac6d0fc7e11f3e39ee84a2453bd18bd6d3458..114b1611a821b638a72217c2f9df744c19b376ab 100644
--- a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php
+++ b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php
@@ -460,6 +460,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
     }
 
     // Add entity-access tag.
+    $query->accessCheck(TRUE);
     $query->addTag($target_type . '_access');
 
     // Add the Selection handler for system_query_entity_reference_alter().
diff --git a/core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php b/core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php
index fc87eac3fb1a9b2fb9b6c7adc861af4813775172..35e024dd50ee7e46630a55a04ac07f74ae5b9112 100644
--- a/core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php
+++ b/core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php
@@ -73,6 +73,7 @@ public static function processDefaultValue($default_value, FieldableEntityInterf
       if ($uuids) {
         $target_type = $definition->getSetting('target_type');
         $entity_ids = \Drupal::entityQuery($target_type)
+          ->accessCheck(TRUE)
           ->condition('uuid', $uuids, 'IN')
           ->execute();
         $entities = \Drupal::entityTypeManager()
diff --git a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
index 4d077f254eee29b0d17ff027a64d216fb87c4396..c0eff555071dbd4f09fcb2230a162a1bf36bcf88 100644
--- a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
+++ b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
@@ -136,6 +136,7 @@ public function checkNodeAccess(array $tree) {
       $nids = array_keys($node_links);
 
       $query = $this->entityTypeManager->getStorage('node')->getQuery();
+      $query->accessCheck(TRUE);
       $query->condition('nid', $nids, 'IN');
 
       // Allows admins to view all nodes, by both disabling node_access
diff --git a/core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php b/core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php
index 8c5ed01882bb14e448d438a33ccd406e713eb9c1..15b9833a69413921063dc556db86739787304d64 100644
--- a/core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php
+++ b/core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php
@@ -129,6 +129,7 @@ public function build() {
     // Load the selected feed.
     if ($feed = $this->feedStorage->load($this->configuration['feed'])) {
       $result = $this->itemStorage->getQuery()
+        ->accessCheck(TRUE)
         ->condition('fid', $feed->id())
         ->range(0, $this->configuration['block_count'])
         ->sort('timestamp', 'DESC')
diff --git a/core/modules/comment/src/CommentManager.php b/core/modules/comment/src/CommentManager.php
index 41556aa759acd0510f293f7edc717a93f46cfaf3..815a391b180fdd49932385eb0c07a161a7581296 100644
--- a/core/modules/comment/src/CommentManager.php
+++ b/core/modules/comment/src/CommentManager.php
@@ -220,6 +220,7 @@ public function getCountNewComments(EntityInterface $entity, $field_name = NULL,
 
       // Use the timestamp to retrieve the number of new comments.
       $query = $this->entityTypeManager->getStorage('comment')->getQuery()
+        ->accessCheck(TRUE)
         ->condition('entity_type', $entity->getEntityTypeId())
         ->condition('entity_id', $entity->id())
         ->condition('created', $timestamp, '>')
diff --git a/core/modules/comment/src/Form/CommentAdminOverview.php b/core/modules/comment/src/Form/CommentAdminOverview.php
index 06f8f4054ac6c26b695ea48c9851cf44e2d06c0f..c1632b376198c44610ed0b83a4bab453d34aadcc 100644
--- a/core/modules/comment/src/Form/CommentAdminOverview.php
+++ b/core/modules/comment/src/Form/CommentAdminOverview.php
@@ -161,6 +161,7 @@ public function buildForm(array $form, FormStateInterface $form_state, $type = '
       'operations' => $this->t('Operations'),
     ];
     $cids = $this->commentStorage->getQuery()
+      ->accessCheck(TRUE)
       ->condition('status', $status)
       ->tableSort($header)
       ->pager(50)
diff --git a/core/modules/media/src/MediaListBuilder.php b/core/modules/media/src/MediaListBuilder.php
index 0f57eac43e74d95c2c97a674d18c61f5ca69fd8a..44ae6a8b7cce20c6b43b666be28a7c6e99076870 100644
--- a/core/modules/media/src/MediaListBuilder.php
+++ b/core/modules/media/src/MediaListBuilder.php
@@ -149,6 +149,7 @@ public function buildRow(EntityInterface $entity) {
    */
   protected function getEntityIds() {
     $query = $this->getStorage()->getQuery()
+      ->accessCheck(TRUE)
       ->sort('changed', 'DESC');
 
     // Only add the pager if a limit is specified.
diff --git a/core/modules/node/src/Controller/NodeController.php b/core/modules/node/src/Controller/NodeController.php
index 5fc72173a0e631f87c71db62ee1aa65de6fd7e57..965cbcb59a1508f561cb71d194673f54b3384fd1 100644
--- a/core/modules/node/src/Controller/NodeController.php
+++ b/core/modules/node/src/Controller/NodeController.php
@@ -300,6 +300,7 @@ public function addPageTitle(NodeTypeInterface $node_type) {
    */
   protected function getRevisionIds(NodeInterface $node, NodeStorageInterface $node_storage) {
     $result = $node_storage->getQuery()
+      ->accessCheck(TRUE)
       ->allRevisions()
       ->condition($node->getEntityType()->getKey('id'), $node->id())
       ->sort($node->getEntityType()->getKey('revision'), 'DESC')
diff --git a/core/modules/path/src/PathAliasListBuilder.php b/core/modules/path/src/PathAliasListBuilder.php
index 4c6ca4622c3001a707d3d387d981c8441f0b72ec..8f980f190fc3c5701ce1f03dc02ee90f1af66e2e 100644
--- a/core/modules/path/src/PathAliasListBuilder.php
+++ b/core/modules/path/src/PathAliasListBuilder.php
@@ -93,7 +93,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
    * {@inheritdoc}
    */
   protected function getEntityIds() {
-    $query = $this->getStorage()->getQuery();
+    $query = $this->getStorage()->getQuery()->accessCheck(TRUE);
 
     $search = $this->currentRequest->query->get('search');
     if ($search) {
diff --git a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
index 24352de93b74b342a92ff56753cc47e0f5e021d1..44133826f13cb5afa8ba78610d337749dc8cdd96 100644
--- a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
+++ b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
@@ -209,6 +209,7 @@ protected function valueForm(&$form, FormStateInterface $form_state) {
       else {
         $options = [];
         $query = \Drupal::entityQuery('taxonomy_term')
+          ->accessCheck(TRUE)
           // @todo Sorting on vocabulary properties -
           //   https://www.drupal.org/node/1821274.
           ->sort('weight')
diff --git a/core/modules/taxonomy/taxonomy.tokens.inc b/core/modules/taxonomy/taxonomy.tokens.inc
index 0f3679d5fc7de458fefd45d132200dac23a260a3..f6cfc6292ac5caa932b3aba80f2ffa8bf2a677e1 100644
--- a/core/modules/taxonomy/taxonomy.tokens.inc
+++ b/core/modules/taxonomy/taxonomy.tokens.inc
@@ -178,6 +178,7 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable
 
         case 'term-count':
           $replacements[$original] = \Drupal::entityQuery('taxonomy_term')
+            ->accessCheck(TRUE)
             ->condition('vid', $vocabulary->id())
             ->addTag('vocabulary_term_count')
             ->count()
diff --git a/core/modules/user/src/UserListBuilder.php b/core/modules/user/src/UserListBuilder.php
index 8c3cef90dfc4c4eba1c05b7bafcd7b1feaf80b9e..4e1323cdeab8af3e159b5055938b7de26493a74a 100644
--- a/core/modules/user/src/UserListBuilder.php
+++ b/core/modules/user/src/UserListBuilder.php
@@ -67,6 +67,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
    */
   public function load() {
     $entity_query = $this->storage->getQuery();
+    $entity_query->accessCheck(TRUE);
     $entity_query->condition('uid', 0, '<>');
     $entity_query->pager(50);
     $header = $this->buildHeader();
diff --git a/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php b/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php
index e1ff34ca6ffbcbe4ca0c59bb658374e6e13425c2..dfaf7789004c024718a6194807d8ff2178986ab8 100644
--- a/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php
+++ b/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php
@@ -292,9 +292,12 @@ public function testCheckNodeAccess() {
 
     $query = $this->createMock('Drupal\Core\Entity\Query\QueryInterface');
     $query->expects($this->at(0))
+      ->method('accessCheck')
+      ->with(TRUE);
+    $query->expects($this->at(1))
       ->method('condition')
       ->with('nid', [1, 2, 3, 4]);
-    $query->expects($this->at(1))
+    $query->expects($this->at(2))
       ->method('condition')
       ->with('status', NodeInterface::PUBLISHED);
     $query->expects($this->once())