I fully understand the logic between allowing something to be publicly available or not, but just wanted to let others know if they mistakenly thought they were locked down like I did. This one mistake could mean other app developers are accidentally exposing their data publicly.
It would be better to have everything restricted by default and require explicit roles/permissions to allow access (i.e. admin only, subscriber, public, etc.)
Just look at S3 as an example for why restricting by default should be the norm. There’s too many data leakages and mistakes that developers can make to not require explicit access.
