that is fixed in the current 2.4 head cvs, and we will release CR3 soon (actually it is tagged in cvs).
I installed CR3. The personalize behavior is the same for not authenticated requests.
Authenticated user can personalize portlets without having "personalize" permission. Changes persisted to DB and used for next login session.
So I beleive it is still broken.