The rest endpoint GET worflow/instance/<id>.[json|xml] checks to see if you have access rights. It calls WorkflowServiceImpl.assertPermission() with the requested rights (ie READ). However these seem to be ignored and it tests to see if you have WRITE permission on the mediapackage contained in workflow.
This appears to be a hack for things like the trim editor where the workflow instance is requested but you may want to edit the results. Surely this WRITE permission only should be tested when you POST the changes back or the permission tested by a separate call which would then en/disable the mediapackage editor.
In general if you are admin or have privileges for the series that the MP belongs to this is not a problem as you have WRITE access anyway, but I feel it breaks the REST paradigm.