Implementations of QueryInterface must never check ACLs. This is because COM requires that an object supporting a particular IID always return success when queried for that IID. Even without this requirement, checking ACLs on QueryInterface does not provide any real security. If client A legally has access to interface IA, A can hand it directly to B without any calls back to the server. Additionally, COM caches interface pointers and will not call QueryInterface on the server every time a client does a query.
For more information on implementing QueryInterface, see Rules for Implementing QueryInterface.