We use Sitecore as our web CMS and have a component (created by an in-house developer) that "reads" data from SharePoint Online Lists and Libraries so that it can be rendered on a public-facing page. This component uses a service account which we add to the Visitors group in any site from which content needs to be rendered. This works very well for Lists and for metadata in Libraries, but when rendering links to Documents in a Library, we have an issue. Basically, when someone views that public-facing page and clicks a link to a Document, they are prompted for credentials. 

In our SharePoint 2010 environment (which we are retiring at the end of this calendar year), we we able to get around this issue by enabling Anonymous Access on the Site and Library. Unfortunately, since this has been removed from SharePoint Online, we are no longer able to use that workaround. 

I came up with another (potential) workaround using Flow to generate an "Anyone" link for the Document, which works, but is something we don't necessarily want people to use (lest we run into our Flow run quota - there are dozens of Libraries with dozens or hundreds of Documents).

The main reason I'm posting here is to try to understand why granting that service account "Read" permission to the Library doesn't allow it to download or open Documents.