We perform only read-only operations on connected orgs:
Due to the way metadata list/retrieve permissions work in Salesforce, we do require Modify Metadata, because there is no read-only equivalent to that permission.
We will never modify client data or metadata. If a scanning user does not have Create/Read/Update/Delete (CRUD) or Field Level Security (FLS) permissions on certain objects and fields, we cannot report on them.