A few thoughts about listing and searching: your app could, server side, index the data your users are given access to, by sending it via ajax from the browser to your server - in effect “harvesting” available data for your users to search through. But I pretty much think that is going against the spirit of Solid …
The issue is real though: as a user, I grant a browser app access to my data and indirectly I thereby also grant access to my friends data (the data they have chosen to share with me). But since sharing says nothing about the app that uses the data (*) we can easily end up having browser apps that harvest my friends data and uses ajax to send it to their own server without any consent from my friends - my friends think they shared data with me and only me - but in reality they share the data with me AND any application I choose to use as an agent to work with my POD.
There are lots of good ideas in Solid, but w.r.t. privacy there is also a couple of broken places (as far as I understand it - and it would be great to be proven wrong here!). See also my other thread: Inter-app access control
(*) Sharing is only about granting other users access to your data without considering what browser app they choose to use.
/Jørn