I want to be sure the Library Server Actions I create cannot be executed by hackers.
To do that with my normal server actions, I place a Security Restrict step at the start.
Is the recommended practice to do the same thing with Library Server Actions, as they exist as separate executable files?
By default, there is no exposed route to the modules/lib folder which holds the library actions, so not possible to be reached from the outside. I would think that adding a security restrict would be unnecessary but also redundant on api’s that have restrict actions themselves.
That would be for NodeJS. What about PHP?
Just an empty output, as it is just a giant json variable assigned.
Ah. Of course. 
Yes. I can see that now having taken a look at the library files.
Thanks for your feedback Ken!