SELECTED ANSWER
replied on August 16, 2018
The content is part of the document, so the document's security is relevant for determining what the user is able to do with that content: read, write, etc. Shortcuts can have different security to control operations that apply strictly to the shortcut. Things like renaming, moving, or deleting the shortcut don't affect the target document, so these are controlled by the rights on the shortcut itself.
So: if you want users to be able to read the contents of a document, they need to have read rights on the document and the fact that they attempt the read through a shortcut is not relevant. If you think about it, it has to work this way. If rights on the shortcut were relevant then a user who has access to an entry could give other users access by creating a shortcut in a public location, even if they don't have the rights to modify that entry's security.
Note though that if a user has read rights to a document it can show up in search results. It's possible to find a document that you have read rights to even if you can't navigate to it and don't have a direct shortcut.