Django Admin: User without permissions can still see a model (UserIncomeSupportDocument) — how to hide it?

I have a Django Admin setup where a Marketing user should only be allowed to view Clients and Therapists.

However, even after removing all permissions related to UserIncomeSupportDocument, the Marketing user can still see the model in the Django Admin sidebar. They can even open the changelist view.

I expected that removing the model’s permissions would hide it, but it still appears by default.

Expected behavior

If a user does not have:

api.view_userincomesupportdocument
api.add_userincomesupportdocument
api.change_userincomesupportdocument
api.delete_userincomesupportdocument

Then the model should not appear in Django Admin at all.

Current behavior

Even after removing all permissions, the model still shows up:

Site administration
Api
Clients               (OK)
Therapists            (OK)
User income support documents   <-- SHOULD NOT BE VISIBLE

Admin code for the model

Here is the relevant Django Admin code:

class UserIncomeSupportDocumentForm(forms.ModelForm):
    class Meta:
        model = UserIncomeSupportDocument
        fields = '__all__'

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if self.instance.document and hasattr(self.instance.document, 'url'):
            self.fields['document'].initial = self.instance.document.url
        else:
            self.fields['document'].initial = None


class UserIncomeSupportDocumentAdmin(admin.ModelAdmin):
    form = UserIncomeSupportDocumentForm

    def income_support_file_link(self, obj):
        return f'<a href="{obj.document.url}">Download</a>'

    income_support_file_link.allow_tags = True

    # Some attempts I tried but they didn't work:
    # def get_model_perms(self, request):
    #     if request.user.groups.filter(name='Marketing').exists():
    #         return {}
    #     return super().get_model_perms(request)

My Question

Is there a reliable way to ensure that ONLY users explicitly given permissions to this model can see it in Django Admin?

Why is a user without any permissions still able to see and access the model?

And what is the correct Django way to hide a model completely from groups that should not have access to it?