API paths not in /public require privileged access
We should check that added routes require privileged access. This implies allow-owner and allow-guarantor are forbidden outside /public too.
We should check that added routes require privileged access. This implies allow-owner and allow-guarantor are forbidden outside /public too.