CheckFileSystem does not override permission related calls to apply those operations to the hidden crc files. Clients may be unable to read the crcs if the file is created with strict permissions and then relaxed.
The checksum fs is designed to work with or w/o crcs present, so it silently ignores FNF exceptions. The java file stream apis unfortunately may only throw FNF, so permission denied becomes FNF resulting in this bug going silently unnoticed.
(Problem discovered via public localizer. Files are downloaded as user-readonly and then relaxed to all-read. The crc remains user-readonly)