That is correct. The search API is your best option for querying this information. The identity data model has a lot of fields available for searching, which you can find here. You query will search all fields for that GUID (which will probably work), but you can fine tune your query to only search for access profiles that have that ID.
Additional info I will add here. If you search for just the access profile id (or access profile name) against the “identities” index, this will not work.
You will get all the people with this access profile assigned, PLUS the owner of the access profile, regardless of whether they are assigned the access profile or not.
You must use the @access(id:<AP ID>) if you do not want to include the owner (which I assume is what you’re after).