This appears to be an intentional change. The git commit where they added this defense includes the following comment:
Since the DB may contain corp passwords, we should secure it. Using the same permission as writing to the DB as the read is potentially as damaging as a write.
It is conceivable that your issue will cause them to consider adding a separate read permission, but at least for the time being, this is a regression in 4.2.