Clarify REST /posts API status argument syntax, semantics

[CoherenceLabs]

The REST v2 /posts endpoint reference documents its optional status argument as letting clients "Limit result set to posts assigned one or more statuses", but does not specify the syntax for a list of two or more statuses, nor whether specifying >= 2 statuses filters to posts containing all or any of the statuses.

I somehow or other guessed that comma-separated statuses in a single string (e.g. "publish,future,draft,pending,private,trash") would work (desiring the "posts with any of these statuses" interpretation) and it appears to, but some WordPress sites return me an HTTP Error 400 with JSON reply payload specifying "code": "rest_invalid_param" and "message": "Invalid parameter(s): status" for a request that that kind of status query parameter. I suspect that error can actually indicate that the user account does not have access permission for posts with some of the specified statuses, rather than necessarily indicating that the given status argument is intrinsically malformed or invalid, since TypeMetal tends to get that error when attempting REST communication with a self-hosted site that does not have a REST authentication plugin installed, but not after installing and activating a REST authentication plugin. Is that true? If so, should I be detecting by some means what set of statuses it's valid to request for the user account in question, and filtering my /posts requests to specify only those? (The reason I want to filter by status is to omit auto-draft posts. I suppose I could filter those out of received results instead, but that would waste bandwidth.)

Some clearer documentation of the status parameter's syntax, semantics, and security/permissions requirements (if any) would be very helpful.