restrictTo = Read doesn't mean what most people would think it means

When XNAT indicates that a user can read a project, it really means that the user can read that project, but doesn't imply that the user can read any of the other objects associated with that project, such as resources, subjects, experiments, etc. In order to check whether a user has read access to a project in the sense that most people would think of it (i.e. to see the stuff inside the project), you need to ask if the user can read subjects within that project: all of the standard XNAT groups (owner, member, and collaborator) and all custom user groups can always read subjects in a project regardless of any other permissions or restrictions on access to data types in that project.

The upshot of this is that the meaning of the restrictTo value Read changes from its strict technical meaning (able to read a project's metadata) to the more common understanding (able to read a project's contents).