This could be a bug, or I'm doing something wrong.

When using SearchDataSource for a pure criteria based search makes it ignore its AccessLevel property. Try by adding some criteria and searching without SearchQuery and make sure you get some results as an unauthenticated user. Then set for example AccessLevel="Administer" in markup if that should yield different results. Try the search and see that nothing changed.

I looked at the code in Reflector and it seems to be because when SearchDataSource does not have a SearchQuery it executes FindPagesWithCriteria and then returns. It does not filter the pages for access. However this seems to work OK in most instances because FindPagesWithCriteria seems to match the access rights even though it shouldn't? In any case the AccessLevel property is ignored in this case, because it is handled by the filter which is only executed when SearchQuery is set.

IMHO the pure-criteria search should be handled the same way as the pure query or query/criteria combination, when filtering for access that is. Get all pages ignoring access rights with FindPagesWithCriteria (should ignore access rights, but sometimes doesn't, so might use FindAllPagesWithCritiera?), and then execute the access filter locally.