This is a bit of a sanity/cleanup issue. The case I noticed was when a user (or non-user Anonymous) doesn't have read permission, they can still find out if a card exists or not by probing. If they don't have read for a card, the user should never get 'missing', onl y a 'deny' view. If it is a message, they just learn that they can't read the card, whether or not it exists, or as content it is probably blank, and not the 'add link'.
what if they have create permissions but not read permissions? This is actually a common configuration -- you can register for an event, say, but can't see the registration after you've submitted it.
+discussed in support tickets
+relevant user stories