I found a couple of questions related to mine here and here.
If indeed I need to allow Authenticated Read access in my Item class CLPs for my query to work, I have to wonder what is the purpose then of setting a user pointer field CLP permission? It seems to have no discernible effect one way or the other.