In WP_REST_Post_Statuses_Controller::prepare_item_for_response(), there's a permissions check that should instead be included in a get_item_permissions_check():

if ( ( false === $status->public && ! is_user_logged_in() ) || ( true === $status->internal && is_user_logged_in() ) ) {
    return new WP_Error( 'rest_cannot_read_status', __( 'Cannot view resource.' ), array( 'status' => rest_authorization_required_code() ) );
}

When we make this change, we should make sure there are tests covering that private statuses aren't exposed when getting a list of posts.