When configuring Jenkins to matrix bases security, and giving anonymous users read access, they are able to browse source code throw the coverage report.
Other plugins does not permit this (workspace is not available as default for anonymous) and for example both Task Scanner and the Warnings plugin disable the last link down to the source when not logged in.
My use case is to let logged in users do almost anything (we give authenticated users admin rights) and users not logged in should be able to see jobs and job results - but the source code.
I wrote a mail to the dev-list and tried to discuss it there in more generelt.
Mail subject is: "Jenkins security setup and plugin responsibility"