The account that you selected "No Access" for, is this the same account that you're making the API call with?
I replicated your steps using my 'service account', and when I restricted the service account access at a space level, I was getting a 500 (unexpected).
My service account also had Full Access at a system level, which does say "Full access supercedes all other permissions, at the space level and beyond."
When I took Full Access off of my service account, with the space level restriction in place, I had a 403 returned (expected)
When I added Full Access back, leaving the space level restriction in place, data was returned (expected)
Not sure if the account you are testing with had Full Access or not, but I think it's a bug.
I would report the issue in your Jive support group so it can be filed as a bug and tracked appropriately.
Hope that helps?
"No Access" is set to a normal user. API call is made using OAuth, and a different user (a Jive administrator having full access at system level) is used during the authorization process to get access token. API call is failed if "No Access" is set to any users, and is success if no "No Access" is used at all.
It is a big problem for us, because we can't get any permissions at all for spaces where "No Access" is used.
I gave a "Normal" account the "No Access" permission, then did a get request ('/places/178339/appliedEntitlements') with my full access "Service" account and received a 200 with the following payload:
For what it's worth, I'm testing this on an Internal Cloud instance.
To answer your initial question, I would post this in your private Jive group and get their take. Sounds like we're getting different treatment for the same steps.
Hope that helps,