Currently it is possible to specify a restriction "owner = self" for shadows, like this:
However, after executing a search of this type, all shadows are returned. Those that are not owned by the user, are returned empty, with a fetch result = FATAL_ERROR: Access denied.
It would be better if only relevant shadows were returned. (Although the condition 'owner = self' cannot be obviously implemented within search filter that is evaluated on the resource.)
See also TestSecurity.test250AutzJackSelfAccountsRead.