read_user scope does not grant permission to use /api/v3/user

Summary

OAuth read_user scope does not grant permission to use /api/v3/user anymore. It worked in the past, so this is a regression.

Steps to reproduce

1. Obtain an OAuth access token with "read_user" permission (and no "api" permission).
2. Try to access "/api/v3/user" with this token.

What is the current bug behavior?

403 Forbidden with this content:

{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api"}

What is the expected correct behavior?

User data is returned.

Output of checks

This bug happens on GitLab.com