DetailModelView and DeleteModelView views don't have ModelViewMixin in them so they never call self.viewset.get_queryset() for pre-filtering in get_object(). As a consequence, ModelViewSets that don't define explicit permission checks do not list objects filtered out by get_queryset() but still allow to see them and delete (but not update as UpdateModelView has ModelViewMixin).
This inconsistency makes me believe this is not intended behavior and looks like potential security hole.

Thanks for the spot!