The redfish resources are associated with privileges. With this we can control which client can perform CRUD on which resources - by setting the permissions.
Are the events associated with privileges ?
While subscribing to events, user can specify filters based on the ResourceRegistries etc. Can we have a way to set the validation during the subscription ; so that we can allow subscribing for a resource only if that client is privileged to view that resource.
The expectation is that events would be sent to the EventDestination from resources that are accessible by the account that created the subscription. I believe this is mentioned in the specification, but we'll go take a look to make sure that is understood.
Attempting to validate a subscription based on privileges would be problematic - as resources come and go, and privileges can change. There are a lot of ways you can create a "useless subscription" - like creating one for a Message Registry that is never used by the service... I would hope that a client attempting to create a subscription based on a particular resource would have accessed that resource (if only to determine which one it cares about).
I don't know of any way to realistically "validate" a subscription during creation that wouldn't produce false positive/negative results.