I guess at first glance it seems like Lucene would return all results from a group of data, even if a particular user was only allowed to view half of the data.
For example, suppose "User A" could view files 1, 5 and 7 and "User B" could view files 1, 2, 3 and 4. If the search term occurs in file 3, will "User A" see that result. Of course, he should not see the result, but since Lucene scans all the files, how does Lucene mark that User A should not see certain files.
Lucene provides the facilities for implementing entitlements, eg providing a Filter to restrict the search results, allowing for security tokens to be directly indexed and then AND'd with the query, etc.
But it's up to your app to tap into these capabilities to implement the security it requires.