The definition of sufficient access depends on whether the builder (the tool invoking the debian/rules target) supports the Rules-Requires-Root (R³) field. If the builder supports R³, then it will set the environment variable DEB_RULES_REQUIRES_ROOT and dh_testroot will validate that the builder followed the minimum requirements for the given value of DEB_RULES_REQUIRES_ROOT.
If the builder does not support Rules-Requires-Root, then it will not set the DEB_RULES_REQUIRES_ROOT environment variable. This will in turn make dh_testroot (and the rest of debhelper) fall back to assuming that (fake)root is implied.
The following is a summary of how dh_testroot behaves based on the DEB_RULES_REQUIRES_ROOT environment variable (leading and trailing whitespace in the variable is ignored).
Please note that dh_testroot does not read the Rules-Requires-Root field. Which implies that dh_testroot may produce incorrect result if the builder lies in DEB_RULES_REQUIRES_ROOT. On the flip side, it also enables things like testing for what will happen when DEB_RULES_REQUIRES_ROOT is set to a given value.