That’s a good point to check.
They do have limited data access to the database as a whole. However, some schemas have “No Access” while other schemas have “Limited Access”.
You got me thinking though. I opened up Chrome inspector and found that the call to https://metabase/api/field/336 was getting 403 Forbidden. It turns out that one of the field filters was using a table that the permissions did not allow. Once I added that table as Unrestricted Access, the limited users were able to use the question.
So, I think I’m good. It was just hard to narrow down which of the particular permission checks were failing since the only error presented to the user is basically “You don’t have permission”.