Avoid using `loadByProperties` to load entities
Drupal’s entity storages have a
loadByProperties method to simplify loading entities based on conditions. For configuration entities, these are on their properties. For content entities, these are on their field values. It is a common carry-over from the old days of Drupal 7 with
entity_load_multiple and the properties condition argument.
There is just one big problem! The
loadByProperties method disables entity access checks. That makes this method unsafe and causes it to bypass entity query access checks.