Gitlab API token with read_api permission

I'm using gitlab API token with read_api permission only.

I'm expecting that I can't get the source code data, but I was trying to use this endpoint: GetRawFile (https://docs.gitlab.com/ee/api/repository_files.html#get-raw-file-from-repository) and I received the data unexpected data.

Is it possible that read_api permission gives access to the repository files? If so, what it the target of read_repository permission?

How to decrease permissions of the token to disable possibility of getting source code data?