I've been pouring over the BT 4.x (LE) spec trying to figure out if this is possible or not (events without pairing/boding).
Does anyone have an insight (and link to the spec preferably) if it's possible?
As Mike Petrichenko commented, GATT communication is definitely possible without pairing. In fact most GATT servers/clients out there function without the need for pairing/bonding. The only exception is when some characteristics require authentication/authorisation in order to read some data (e.g. a medical device with a Heart rate characteristic).
If you want a specific reference to where this is mentioned in the Bluetooth spec, then I recommend looking at the Core Specification version 5.2, Vol 3, Part C, section 10.2 (LE Security Modes):-
The security requirements of a device, a service or a service request are expressed in terms of a security mode and security level. Each service or service request may have its own security requirement. The device may also have a security requirement. A physical connection between two devices shall operate in only one security mode.
It is then mentioned that LE security mode 1 has the level No security, and many GATT servers/clients work in this level.
You can test this yourself if you have two phones available. You can use the nRF Connect app to run a GATT server on one and a GATT client on the other. You will see that you can browse the GATT table and read data without having to pair.
Below are a few links that contain more information:-