Why reading from package registry requires API scoped personal token?

Generating a personal access token for private package registry access I initially selected read_repository advertised as “Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API.”. However, I didn’t work. In the end I had to change it to API scope and mentioned in the official documentation.

However, I don’t feel very comfortable having full (RO) API access (unfortunately GitLab doesn’t provide a more granular selection) to just read JARs. I wonder why it is needed, while for a deploy token it is enough to use read_package_registry?