When WordPress implemented the new Trash feature they failed to change the permissions granted when the post is in the trash. This means that an unauthenticated user cannot see the post, however an authenticated user can, no matter what privileges they have, even βsubscriberβ. See ExploitDB for PoC