`usermod --add-subuids` needs to read `/etc/shadow`?

When I run usermod with all capabilities dropped and have no access to `/etc/shadow`, usermod fails complaining that it can't read `/etc/shadow`.

I don't think it should need access for sub{u,g}id processing?