API Token Permissions do not seem to match the documentation

Good day! I’m trying to create a token of lease privilege and noticed an issue hitting the /zones endpoint.

According to the documentation, I should only need the “Zones:Read” privilege to hit the endpoint. When set to just one zone, I get the following error:

{
    "success": false,
    "errors": [
        {
            "code": 0,
            "message": "Actor 'com.cloudflare.api.token.API_TOKEN_ID' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
        }
    ],
    "messages": [],
    "result": null
}

However, when I grant it to all zones, the API works as expected. Is this a bug or expected behavior?

Thanks!