When you run a query, the query finds all items or portfolios that match the criteria from the items and portfolios that the user can see. Only the category values for which the user has Read Data permission are considered.
While the queries don't return the value of a specific category, they could be used to expose the values of restricted data. For example, "include all the projects with budgets over a million dollars" might list categories that are restricted. In order to avoid such an exploit of the system, all queries must have Read Data permission on their source categories.
To grant someone the right to define the query you must have Admin permission on the query-based portfolio. The query will have the same permissions to access data as the specified user.
By default, the query has the same permissions as the user who created the QBP. In some cases, the user who creates the query might want to specify a different permissions level so as to limit the access to items or portfolios that are restricted from the target user group. Bear in mind, however, that if a user's permissions are not sufficient, the resulting QBP will not contain some of the intended items or portfolios.
Any user with Edit permission on the portfolio can see the full query (even if they do not have access to some of the categories) and edit the query. When editing the query, you will be able to select only those categories for which you have Read permission.
Note: Anyone with Edit permissions on the Portfolio can run the query and cause the portfolio to be refreshed with up-to-date results. The permissions of the person who runs the query do not affect the scope of the results in any way. The scope is set only by the permissions of the user that was selected in the Query Permissions dialog box.