From what I understood you need to filter your query with something like that

query($currentUserId: ID!) {
  allAccounts(filter: {
    user {
      id: $currentUserId
    }
  }) {
    id, 
    name
  }
}

Your request retrieve all the accounts even the one you your user don’t have access to but when you try to read the value it’s in conflict with your rules. At least that’s what I did in my application but I still have some kind of random

Insufficient Permissions

sometimes on the creation but for the reading it works like a charm.