Ok I’ve found the problem. The issue was indeed that I was not passing the nonce of the request in the proper way. Because, as I found in the docs:
If no nonce is provided the API will set the current user to 0,
turning the request into an unauthenticated request, even if you’re
logged into WordPress.
So I’m guessing that this was the actual issue. So I’m now passing a nonce via the X-WP-Nonce header, with the nonce being used being generated, also as the docs say, via:
wp_create_nonce('wp_rest');
Now, I can indeed retrieve the capabilities of the concerned Administrator user, and current_user_can() authorization within the permission_callback works.
What astonished me is that (and I’m not sure if I’m understanding that correctly); you cannot pass custom strings to wp_create_nonce when you use REST, as you can do it using the legacy wp_ajax API. The above-mentioned failed when I specified any string different from wp_rest to the value of wp_create_nonce. Just feels odd to me that the string used to generate a nonce for like 30 different REST requests MUST be the same string, always.
And finally, after current_user_can, I’m also checking the nonce via:
wp_verify_nonce(
$request->get_header('X-WP-Nonce'),
'wp_rest'
);
Just because the docs say nothing about doing this automatically if you’re not using WP’s built-in Javascript API. So I guessed you have to do it on your own in such a scenario, but as it seems, WP actually does it for you also in this scenario, so that part can be omitted.