After doing a blank search for all of the contacts a user has access to, the list of contacts displayed is limited to the smart group that a user has access to, but exporting the contacts returned by the search exports all of the contacts in the database, not just the contacts returned by the search.
This behavior was originally reported to me as occurring in 1.9.12432, and I duplicated it in 2.0.4. I was unable to duplicate this on the demo site as I could not create new drupal users.
Steps to duplicate
1) Create a smart group (in our case, a smart group of all volunteers in the same state)
2) Create a group that will have View/Edit access to this smart group. (In our case, state coordinator(s)).
3) Create an ACL role for the state coordinators.
4) Create an ACL for the state contact data (View/Edit the smart group of volunteers for that state).
5) Assign the ACL role for the state coordinators to the state's coordinators group.
6) Add a contact to to the state's coordinators group.
7) Create a new drupal user for the state coordinator contact from step 6. This drupal user needs the "Access CiviCRM" permission.
8) Log out, and log back in as the new drupal user.
9) Perform an advanced search / blank search. It returns only contacts for the state (based on the smart group of contacts and their ACL to view / edit those contacts).
10) Click the "all x records" radio button, select "Export Contacts" from the pull down menu, and click "Go".
11) Select "Export PRIMARY contact fields" and click "Continue." The exported file contains ALL of the contacts in the database, not just the ones the user has ACL access to.
Workarounds exist to export just the contacts a user has access to:
If the original search in step 9 is restricted to the group that the logged-in user has an ACL for, exporting "all x contacts" exports only the contacts the user has an ACL for.
Selecting any number of contacts in step 10 and exporting "selected records only" exports only the selected contacts.
This bug may be related: