Ok, it seems I got it all wrong. I assumed that
GET http://<host>:<port>/jasperserver/rest_v2/reports
would list all reports, as that was my expectation from working with other REST APIs. This assumption was wrong.
After playing around and reading the manual more carefully than before, I eventually got it right. The things that triggered the 403 access denied when trying my approach in the comment above were (a) that I got the URL wrong (missing "reports/") and (b) that I forgot the file extension (.pdf in my case)
GET http://<host>:<port>/jasperserver/rest_v2/reports/<foldername>/<reportname>.pdf
did the trick. I still don't get why this can only be done by a user (ROLE_USER) and not an admin (ROLE_ADMINISTRATOR), but that is not a practical issue for me.
(EDIT: Apparently the whole user thing was some kind of bug. After repeating the whole procedure on a fresh server, the admin user can access the reports same as the regular user.)
