ApiVisualEditor.php ignores $wgVisualEditorParsoidForwardCookies if it thinks the wiki is publically readable.
Patch Set 2: Code-Review-1
Per discussion with Gabriel on IRC, this feature should refuse to work if there are no read restrictions. Will amend.
However, this ("refuse to work if there are no read restrictions") isn't documented anywhere and is counter-intuitive. The wiki I run is behind CA's SSO provider, for example, so it is unreadable without authentication no matter what the internal setting of MediaWiki is.
At the very least this should be better documented -- "If you set $wgVisualEditorParsoidForwardCookies make sure that you also set your wiki so that it is not publicly readable" -- but I think it would be better to honor the setting in all cases.
There are already a lot of disclaimers on the documentation for this, so we should assume that if someone sets it, they know what they're doing.