A simple exploit can completely bypass User Permissions.
When using a Link field, a request is made to frappe.desk.search.search_link and a field ignore_user_permissions is sent. By copying the request and change the value from 0 to 1 an user can have access to documents he shouldn’t have access to, regardless of doctype configuration.
I can’t figure out the intention of allowing the frontend to decide if permissions will be applied or not, must be a mistake. It seems to me that the field level configuration of “Ignore User Permissions” should always be validated in the backend.
From my tests the search_link whitelisted method returns only the name and title. search_widget in the same file is also a whitelisted method with the same problem. Don’t know if there is any other whitelisted method with this issue that provides more fields.