Limiting submissions to one per user -> access denied via tokenized UPDATE URL

I've been using Webform module for my current project for over a year. For every webform submission, we send confirmation email to the user, with the tokenized UPDATE URL for quick access to edit the submission. We also limit most forms to 1 submission per user.

It's been a long time since I actually clicked those tokenized update links, but realized today they now require you to login. This seems to happen only when the form has the option "Limit users to one submission per webform/source entity" checked. VIEW and DELETE links work perfectly fine without logging in.

Is this intended or could this be a bug? I'm pretty sure I have used those links when we first added them to emails and had the submissions limited to 1 per user per webform even then, but I cannot be 100% sure of this. But anyways, aren't those links supposed to bypass other access control, so unless the approach has changed, they should work without logging in?