If the request is authenticated then it checks if the user is not allowed to view the member list (this also controls whether they can view profiles). You can set the allowed roles from site settings. If the user is authenticated and is not in an allowed role we just link to gravatar since we know for sure he is not allowed to view the profile.
If the request is not authenticated then we don't know if the user will be allowed to view the profile when he logs in, but we link to the profile anyway sine they will be prompted to login when they click the link. If they login and it turns out they are not allowed they will be redirected to access denied page.
Hope it helps,