Permission required to list pull requests

In the REST API there are typically three types of requests: listing (e.g. GET .../pulls) all the items, and GET and POST on each individual item.

Regarding the pull-requests permission, I did an experiment where I set pull-requests: none and I was still able to list the pull requests by accessing .../pulls. Is this intentional? Is there any permission that controls access to this?

I noticed in the API documentation that the documentation is explicit about that POST requires write access, but it doesn’t say anything about permissions for listing pull requests or GETting a single pull request.