Hi,
If you maintain all of your plugins to the latest version, you should be perfectly safe from CSRF or any other attacks. For a CSRF query to execute, there must be a vulnerability, and I don’t see how using the search request could be used for that. Every aspect of the query, the arguments, everything is validated multiple times, currently we are not aware of any CSRF related issues with the search. There is no difference on how the query is executed for privileged and non-privileged users, so there is basically no ground for a CSRF attack.
Even if you were to add a nonce to the ajax request (which I don’t recommend, because for each query it has to be regenerated on the fly, which basically makes it useless, an attacker can easily bypass that), all of the site back-end still needs to get protection. In CSRF attacks, the attacker tricks a privileged user (like an admin) to click a link or a submit form to execute a query on the back-end, and it is much more likely, that an attack will be aimed at your site back-end with a request to a vulnerable file.
Instead of altering everything in the core files on your whole site, I rather suggest using a plugin like WordFence or a firewall, that detects suspicius and known vulnerability attacks, and blocks them before it reaches execution. It is much more secure, and does not require core file modifications.