Compare to the connection's GetSettings() call, which is not protected by policykit permissions. It only checks that the requesting user is allowed according to "connection.permission".
Previously, device's GetAppliedConnection() requires "network-control" permissions. This although it only reads a profile, without modifying anything. That seems unnecessary, also because in the common case the applied connection is identical to the current settings connection, and the latter can be read without special permissions.
Don't require a special policykit permission to read the applied connection.