The following issues all permit access to view something using the 'access content' permission.
Is this correct? Is this correct for configuration entities? For public files?
For more context around access and REST - in some of the other issues we are adding access handlers and new permissions to deal with admin access see: