diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb
index 3938a29874b..db9bcaa0f54 100644
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@@ -316,7 +316,12 @@ class CategoriesController < ApplicationController
     page = [1, params[:page].to_i].max
     offset = params[:offset].to_i
     parent_category_id = params[:parent_category_id].to_i if params[:parent_category_id].present?
-    only = Category.where(id: params[:only].to_a.map(&:to_i)) if params[:only].present?
+    only =
+      if params[:only].present?
+        Category.secured(guardian).where(id: params[:only].to_a.map(&:to_i))
+      else
+        Category.secured(guardian)
+      end
     except_ids = params[:except].to_a.map(&:to_i)
     include_uncategorized =
       (
diff --git a/spec/requests/categories_controller_spec.rb b/spec/requests/categories_controller_spec.rb
index 450d0fe529f..6413f1d0cdf 100644
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@@ -1564,6 +1564,25 @@ RSpec.describe CategoriesController do
       expect(response.parsed_body["categories"].length).not_to eq(0)
     end
 
+    it "produces exactly 5 subcategories" do
+      subcategories = Fabricate.times(6, :category, parent_category: category)
+      subcategories[3].update!(read_restricted: true)
+
+      get "/categories/hierarchical_search.json"
+
+      expect(response.status).to eq(200)
+      expect(response.parsed_body["categories"].length).to eq(7)
+      expect(response.parsed_body["categories"].map { |c| c["id"] }).to contain_exactly(
+        category.id,
+        subcategories[0].id,
+        subcategories[1].id,
+        subcategories[2].id,
+        subcategories[4].id,
+        subcategories[5].id,
+        SiteSetting.uncategorized_category_id,
+      )
+    end
+
     it "doesn't produce categories with a very specific term" do
       get "/categories/hierarchical_search.json", params: { term: "acategorythatdoesnotexist" }