Problem/Motivation
Users without the permission to edit and delete content of a specific content type (such as article) cannot unpublish it, unless they also have the permission "administer content" which then applies to all content types.
With the "administer content" permission, users only see a "Save" button on the content form, but they see "Publish" and "Unpublish" as available actions in the bulk operations on the content overview page. However, if they then try to unpublish seleceted content, they get a message that they don't have access.
With "administer content" permissions they can unpublish content, but then they have no access to see unpublished content (such as /node/123), but if they know the node ID, they can still it's edit form (/node/123/edit).
In order to let users see unpublished content, they need to have "Bypass content access control" which also applies to all content types - and of course allows them to delete anything.
So, basically it's easier to give users the permission to delete content then to unpublish it - or it's a bug and unpublishing content is part of editing content, but it's broken.
However, a typical set up is to give a larger group of users the right to just unpublish content, and only fewer users with a different role the permission to actually delete content.
Proposed resolution
Allow the publishing and unpublishing of content per content type, or fix (un)publishing as part of "edit content" per content type.