That’s like trying to hit these endpoints in an incognito window without an access_token (try it, it won’t work).
You probably have a cached cookie or something in your session? As the person who wrote this behavior in the Particle cloud, your user identity is a functional requirement in retrieving your private events, without it, your private events can’t exist. So I would be pretty surprised if you were getting your private events without being logged in. It shouldn’t matter what SDK this is happening in, the API simply doesn’t have enough information to get your private events without a live session, and it’s also restricted. But if you can send me a link to the particle api that lets me get private events without an access token, I’ll definitely gift you some Particle swag as a reward.