There's code that deletes a customer from the CRM using Api4, but does not tell it NOT to check permissions.
This fails in the case that the logged in user is not some sort of admin.
My use case was that InlayPay was failing to find customer in situations where this codepath is hit.
Since the function that wraps this has no means for passing checkPermissions in, I assume this is just a slip up and that any testing done to date was done as the admin user, so it's slipped through. It seems sensible that checkPErmissions = FALSE; this is done for the create() method, for example.