Incompatible with JSON API in core.

Use case:

Use a term reference field on a node. Configure a term to provide access to a role. Configure this module with `Permissions mode`.

Assign the `access content` permission to the role.

Access a list of that node type at /jsonapi/node/article for example.

Expected:
Only the nodes with that term are shown.

Actual:
All nodes are shown.

----

Viewing things through the browser works as expected, only nodes with the terms can be seen.

I've narrowed it down to this code:

/**
 * Implements hook_node_access().
 *
 * Forwards user by drupal_access_denied(); to an access denied page, if a
 * single restricted node is called.
 *
 * This hook is not fired if admin is logged in. Users with the
 * "bypass node access" permission may always view and edit content
 * through the administrative interface.
 */
function permissions_by_term_node_access(NodeInterface $node, $op, AccountInterface $account) {
  /* @var \Drupal\permissions_by_term\Service\AccessCheck $accessCheck */
  $accessCheck = \Drupal::service('permissions_by_term.access_check');

  $accessCheck->dispatchDeniedEventOnRestricedAccess($node->id(), $node->language()->getId());
}

This code as described throws a message which forwards the user in the browser. But... that doesn't apply to the API endpoint and thus it does nothing and the default `access content` permission says we can access the content. If I remove that permission, I cannot access content at all on the browser or through the API.

I expect node_access hooks to return an AccessResult object. Why use this redirect pattern instead of the AccessResult object?

I'll submit a patch where I swap the message for the AccessResult object which worked for us. If this is a more specific use case, people can use the patch in a custom module.