In the default "Configuration Item" or "Service" lookup field in Self Service Incident form, a Client (End user) can only see the CIs linked to him.
However if there is a custom CI lookup added for CMDB, it starts showing all CIs in the CMDB database in Self Service.
There is an option to apply "lookup filter" for Self Service, but using even that you cannot restrict the visibility of CI/Assets based on the link Client or link to Client's Account.
So adding a couple of checkbox settings while defining the lookup filter to control the data access can achieve this. See the mockup below:
It has 2 checkboxes to control records based on Linked to Client or Linked to Account. If none of the these are checked, all records can be shown (default behavior).
This can apply to both Custom lookups or the OOTB lookups on CMDB (Base Element) which are: Configuration Item, Service, Service Offering to give admins more flexibility on what they want to expose vs. hide to end users.