DERBY-4191 added checks for minimal select privilege in cases where a SELECT query didn't access any actual column in the base table, such as SELECT COUNT FROM USER1.T and SELECT 1 FROM USER1.T. That privilege checking is only done for top-level SELECT statements. It should also be done for subqueries.
Examples of queries where Derby does not currently check for minimal select privileges on the accessed tables (performed as USER2, which has no privileges on any of USER1's tables):
SELECT * FROM (SELECT COUNT FROM USER1.T) S
SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T
INSERT INTO USER2.T SELECT 1 FROM USER1.T
I believe that the above statements should have failed, but currently they succeed.