I tried to request an object over the REST API v2 as anonymous user with content/read permission.

Request:
GET: /api/ezp/v2/content/objects/57
ACCEPT: application/vnd.ez.api.Content+json

Response:
{
"ErrorMessage": {
"_media-type": "application/vnd.ez.api.ErrorMessage+json",
"errorCode": 401,
"errorMessage": "Unauthorized",
"errorDescription": "User does not have access to 'versionread' 'content'",
...

Usually, you don't want to give the anonymous user full versionread permission so i tried it with a versionread permission limited to status/published.

With this permission in place, i got the following response:

{
"ErrorMessage": {
"_media-type": "application/vnd.ez.api.ErrorMessage+json",
"errorCode": 404,
"errorMessage": "Not Found",
"errorDescription": "Could not find 'Limitation' with identifier 'Status'",
...

After removing the limitation, it worked as expected, but the user had also access to the version list of the object (/content/objects/57/versions).

However, i think that a user with the content/read permission should have access to the current published version of an object. Actually, it seems to be impossible to provide the published content of an object to a user, without giving the user the permission to view all object versions.