This was fixed in 5.6.1. Please move to CLOSED CURRENTRELEASE if verification passes.
Verified using steps in bug description. Resulted in { "error": { "kind": "forbidden", "message": "Use of the read action is forbidden", "klass": "ApiController::Forbidden" } }