I noticed that if the list permission of the bucket is not granted to the public, CloudFront's custom error page (404 not found in my case) always returns 403 forbidden. Once the list permission is granted, a custom 404 image is able to be returned.
None of my objects are explicitly marked as publicly readable. But I have given CloudFront origin identity read permission for all objects in the bucket. So I assume, when CloudFront tries to grab the non-existent object, it can't find it; then it tries to list all objects to find the target; consequently, the permission is denied. This part confuses me. If list permission is not needed when targets exist, why wouldn't CloudFront just grab the given custom error object when it can't find the original target in the first step? Is listing objects just to confirm a 404 status?
The 403 comes directly from S3 when Cloudfront tries to access a non-existent key without having list permissions. Cloudfront isn't trying to make a second request to list the objects, or anything like that. S3 just directly returns a 403 when Cloudfront tries to access a non-existing object.
The reason S3 returns a 403 response and not a 404 when you try to access a non-existent key without the list permission is that without the permission you should not be able to distinguish between these two scenarios:
If you could distinguish those you could effectively list the contents of the bucket by enumerating likely keys and checking for 403 vs 404 responses. That is not allowed without the list permissions, so those two scenarios must have the same response as each other to be indistinguishable. They could both be 403 or both be 404, but 403 is more fitting as it represents "Forbidden". Without the list permission, you are "Forbidden" from knowing whether there is an element existing with that key or not.
It doesn't really apply to your case where all the objects in the bucket are accessible, but if you had just one object in your bucket that is secret and you don't want people without the list permission to know it is there you would appreciate S3 not revealing it's existence by returning a 403 instead of a 404 for that one specific url. S3's rules are applicable to the general case where it isn't certain that all the objects in the bucket are accessible or even that their existence should be detectable.