We perform only read-only operations on connected orgs:

• We make GET requests to the Metadata API
• We make GET requests to the REST API
• We make GET requests to the Tooling API

Due to the way metadata list/retrieve permissions work in Salesforce, we do require Modify Metadata, because there is no read-only equivalent to that permission.

We will never modify client data or metadata. If a scanning user does not have Create/Read/Update/Delete (CRUD) or Field Level Security (FLS) permissions on certain objects and fields, we cannot report on them.