That's a known long standing bug, but is technically a feature as that's an unintended usage of that parameter.
forge.joomlapolis.com/issues/6403
That parameter isn't intended to be used that way and is primarily meant to just prevent public profile access and not actually limit users themselves from accessing their profiles.
Will review finally getting that fixed today though for at least fieldclass ajax endpoints for fields.