In the current implementation, in order to invoke chaincode, a client must also have write access to the channel on which the chaincode is deployed. This is problematic because even if the chaincode function simply returns data (i.e. is a query), one still needs to call the Invoke function and since Invoke could be a read or a write, as mentioned the client must have write access to the channel. It would be preferable to be able to require read-only permission in order to access chaincode. While you can of course provide access control with chaincode, this still would not prevent a client from submitting transactions to the orderer on that channel.
The most common use case is a common channel used to provide reference information where only a limited set of parties should be able to write to the channel with the majority of parties will simply be querying the reference data.