There is no mention of the _check_csrf attribute that need to be added to a route defaults (see https://github.com/KnpLabs/KnpRadBundle/blob/develop/EventListener/CsrfListener.php#L22)

Nothing here:
http://rad.knplabs.com/#unsafe-methods

And nothing here:
https://github.com/KnpLabs/KnpRadBundle/wiki/csrf-protected-links

Though, it looks important to ensure that the token will be checked

yes, that's a missing part of the doc that is very important :/
We're working on some feature files describing very realistically the behavior:

Since a code snippets worth 100 words, here they are :)
It doesn't mean we should'nt update the docs.
By the way, if you have time to upgrade them and provide a PR, it would be awseome :)
Thanks for opening the issue!

#129 should be able to addthe csrf attribute in appropriate requests.