Well, I didn't said it's a mistake, but it "looks like" a bug, event if it's not one, for the reason I gave in my first post.
Do you think it's obvious not prevent user to see item list, but still be able to see item detail?
I got the problem recently, because of Google. As Google seems to use analytics tracking code to discover any website page, then any user who can browser an item detail will silently give Google the path to this item, and thus despite the fact you prevent users to see item list, it can be found from Google. More exactly, people are looking for something on Google, and they'll see a page they shouldn't have access to.
For this reason, I don't think it's a matter of simplified permissions, because it there's an option to use advanced permission in admin, then problem will remain the same. Until the guy who code the theme discover this, and make needed changes. That's why I report it here, at least.
p