Strapi's REST API allows for someone to create a request in a front-end application that is visible in the console, with which a third party could figure out how to view unpublished content. This is because access to unpublished content is achieved with a public query filter.

Depending on the importance of the organisation, or the content, access to embargoed content could be seriously damaging.

Access permissions for content should be made conditional, just as is used for access to parts of the admin.