Users without ITIL roles(ie sn_hr_core_case_reader /sn_hr_core_case_write) also able to view all requested items(sc_req_item) records.
The access for the sc_req_item for the user sn_hr_core_case_reader /sn_hr_core_case_write is given by the OOB ACL
This is the expected behaviour, reason there are cases you need to build catalog items in HR application. And requested item and requests are child records of an HR Case. So the HR user should be able to use the service catalog, and view/update the child requests of an HR case.