I always found it interesting that Salesforce has had a glaring security issue regarding Global Search for as long as I’ve been using it.

Let’s say a user had no access to a Credit Card field on the Contact object via Field Level Security. The user could still do a Global Search on, say, the first 4 digits of the card, which indicates the credit card type (Visa, Mastercard, etc.). Even though the user could not see the Credit Card number on records, Global Search would return any records that contained those four credit card numbers.

The records, if the user had access to the Contact object in their Profile/OWD, would see the records returned and know that those records held the first four numbers of the credit card. Thus they would also know the credit card type on the Contact. This always puzzled me that this existed.

Well, they finally shut the door on this one. In Summer ’24 Users now cannot search for fields in Global Search that they don’t have access to through Field Level Security. The barn door has been shut.