As per T170673: Make ChangeOps define required permissions, ChangeOps expose the permissions (actions) they require, but we do not always check them.
In particular, Statement-related API modules like wbsetclaim, wbsetclaimvalue, wbsetqualifier, and wbsetreference do not check the actions declared by the respective ChangeOp. Only the generic checks for edit permissions are performed by EditEntity::checkEditPermissions().
Other API modules do this: ModifyEntity::checkPermissions covers the term-related API modules as well as wbsetsitelink and the generic wbeditentity API module.
Note that this is presently not a problem in practice, since we currently do not have special permissions defined for modifying Statements. But it's an inconsistency that may lead to nasty surprises down the road.