As Anthony Green indicated, permissions can be granted to anything in SSRS.
What I am guessing you did is had it set up with inherited permissions, then removed permissions at the root (home).
Alternately, it could be permissions at the data source level too. You can have SSRS pass the credentials through to SQL when it gets the data OR you can have a specific user account configured to get that data. If it is a specific user account, it could be that user account doesn't have access to the data.
We took a different approach at my workplace - permissions are granted so everyone can see the root level and we restrict on an as-needed bases further down the chain. We found that most reports did not require any special restrictions on them as the information was considered "internally public" meaning that once you are inside the company, that data is not a secret. This makes managing the report permissions a LOT easier. If it is requested to make it a "private" report, we require justification as it is extra administration overhead. PII, financial data, and anything GDPR related would fall under justifiably secret, but it made our job a LOT easier not having to hide all of the reports.
We also learned that a lot of reports that had very specific permissions (like only 3 people in the company apart from the admins can view this report) came about by mis-interpreting the requirements. End user said "Users A, B, and C must be able to see this report" and it was interpreted as "ONLY users A, B, and C can see this report".