I am pretty sure it is meant the other way round.
Rationale: If you try to read a resource without authentication which has `@RequiresPermission` annotations, it will throw a UnauthenticatedException. But this should not lead to a status code UNAUTHORIZED, but to a status code FORBIDDEN.
Unauthorized should be returned for UnauthorizedException (hence the name).
Guests or any authenticated role could (at some point in the future) get the permission to read the resource, so FORBIDDEN is the correct status code.