Queries starting with $documents require DB-level permissions (or possibly just permissions on the namespace db.$cmd.aggregate used for collection-less queries – though I don't know if it's possible to create a privilege for this namespace). 

For example, the simple query

[{$documents: [{a: 1}, {a: 2}, {a: 3}]}].

triggers auth errors for a user that does not have DB-level permissions; see HELP-52691.

I believe this query and others containing $documents should not require these permissions. The issue seems to be that $documents is not marked as an "initial source", so we require privileges for its namespace to execute the query. I'm not sure why we decided this; it seems like an oversight to me especially because $documents requires no privileges itself.