Only relevant to Blazor Web Assembly:
Authorization not enfored at odata Controller of Server component
As I can see, the Authorization is applied to the client razor pages, but not at the Server-side odata Controller.
returns valid data to any client since there is no authorization implemented.
Did I overlook something?