Currently, when using the project token to trigger builds via the api, the request is impersonating the "anonymous" user; requiring this user to have global and job-related READ privilege (interestingly, BUILD privilege is not required when using matrix access).
If configured like this, every unauthenticated user can see all build jobs in jenkins, which should absolutely not be intended.
I suggest in this case, the privilege should not be required, or, alternatively, requests made with the project api token should impersonate a second, virtual user "api" or something, who can than be assigned the correct privileges independent from the anonymous user.