Should /tables return only tables with READ permissions to the current user?

[apucher]

/tables isn't currently bound to table-specific permissions.

Intuitively, it makes sense to only show tables that actually have READ permissions to the current user - as in both metadata and data. However there are two counterpoints as well: (1) it's conceivable that there could be metadata "bot" user that can create, update, and delete tables without being able to read the metadata, and (2) the control over data-access is actually with the broker's auth and configured independently of the controller's metadata ACLs