The access for the sc_req_item for the user sn_hr_core_case_reader /sn_hr_core_case_write is given by the OOB ACL 
https://<instance_name>/nav_to.do?uri=sys_security_acl.do?sys_id=fe5370019f22120047a2d126c42e700a 
https://<instance_name>/nav_to.do?uri=sys_security_acl.do?sys_id=7e5370019f22120047a2d126c42e7009 

This is the expected behaviour, reason there are cases you need to build catalog items in HR application. And requested item and requests are child records of an HR Case. So the HR user should be able to use the service catalog, and view/update the child requests of an HR case.