Restrict Access-Control-Expose-Headers by API endpoint
!22838 (merged) addressed #194897 (closed), added missing headers to
Access-Control-Expose-Headers. The headers themselves were already included in the response, so the data itself has been going out across many different requests. In reviewing the MR for security, @dcouture agreed that we'd like to ultimately see this limited to only the applicable API endpoints.