The search crawl process grabs content so that it can be indexed. The default crawl account, configured in the search service application, is automatically given permissions to read all SharePoint content. When you create a web application, SharePoint automatically grants the default crawl account read access to the web application, by assigning a Allow Read policy to the web application.
If you assign the default crawl account after creating web applications, you must manually assign the Allow Read policy for existing web applications. Only new web applications will have the policy applied automatically.
Therefore, it is recommended to create the Search Service Application, and to assign the default crawl account, before creating any web applications.
You must manually give the crawl account permission to read any other content source that you configure as a SharePoint content source, such as shared folders on servers.
[Read more about assigning web application policies***]
The default crawl account will have broad access to content in your environment. Therefore, the account should be a unique user account used only for crawling content, and should not be granted access to content at any higher level.