Inside a supabase project users can connect to their projects as either "anon" or "authenticated". The role information is passed inside a JWT.
I'll need to confirm with Oli (asleep right now) on the technical implementation but I believe either of these roles is assumed when running the RLS checks.
The question wasn't if a primary key was required, it was "does this also work for tables where the GRANT hides certain columns from different users?"