The Drupal\Core\Entity\Query\QueryInterface defines an
accessCheck() method, which sets whether an access check should be applied when executing the entity query. The QueryBase defaults this to true.
Most, if not all, content entities in core use the Drupal\Core\Entity\Query\Sql\Query, and this class makes appropriate use of the
accessCheck property when crafting the query. Config entities, however, use the Drupal\Core\Config\Entity\Query\Query class and this class doesn't do access checking, regardless of what the property is set to.
One of the adverse side effects is that the default list builder for config entities (EntityListBuilder) will always display every config entity, regardless of whether you actually have access to view it.