Thanks for bringing this to our attention. I am able to reproduce the same behavior if the client_id is associated with the account that is also authenticating (i.e. I own the app and I’m authenticating myself). If I authenticate myself with a client_id created in a different account and try to get the sub list without the scope, it fails as expected.
I’ve inquired with the API team about this behavior to see if it is intended behavior for the developer’s account to not need the required scope.