Your guess is correct: this has to do with the stateless server. All state available on the server will be removed at the end of a request: it will be sent to the client or it will be stored in the database. As NPEs cannot be stored in the database, they have to be sent to the client. However, since everything sent to the client is accessible through javascript, we can only sent attributes that the user is allowed to see. This means that we cannot support non-readable NPE attributes as of Mendix 7.