How CES Handles the Sitecore Permission Model with the Legacy Connector
CES overcomes this problem by implementing heuristic detecting cases where a user might have the right to see a document; even if that user is part of the role that does not have the right to see the same document.
The counterpart of that solution is that security changes on the Sitecore side are not considered by CES in an incremental refresh run by default. You must have a refresh schedule set on your sources if such security is present in your site. Fortunately, CES logs a warning during the source indexing if such security is encountered. If your security model works like the one expected by CES, the connector operates normally.
Note: You can also set the IncrementalRefreshIncludeSecurity advanced parameter to True (see Modifying Hidden Sitecore Source Parameters for the Legacy Connector).