Limiting the Operator's access by OU and scope definition is not working as expected.
Scope definition query works fine in search. However, when tested with an Operator user, all results are shown.
Confirm if the account you are restricting was only added as an operator within ITSS. Otherwise, if it is also part of the "IT Security Search Administrators" local group, it will be treated as an administrator user in ITSS.
If the user is confirmed to not be an administrator, double-check the syntax of the query value and also take into consideration they are case-sensitive. You could also restrict the OU in the "Allowed Organization Units" directly from the "Scope Definition Query" instead.