The REST bulk read endpoints: /rest/v2/caches/{cacheName}?action=keys /rest/v2/caches/{cacheName}?action=entries use the cluster publisher, which is an internal component which doesn't check that the subject has bulk read permissions The methods require authentication, but once authenticated, any user can invoke them successfully.
This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396