The backend api is enforcing that only admins and the owner of a list can edit or delete an existing list, but the UI seems to show both buttons to all users.
It looks like the issue is that components/lists/ListInfo.vue is checking for general permissions like $can( 'change', 'lists/toollist' ) rather than object specific permissions like $can( 'change', list ). This may also mean that we need to add type casting for the list objects in the vuex store.