Bubbles own api tokens, privacy rules query

This might well be an obvious question and I’m quite sure I possibly know the answer but for completeness a 2nd opinion would be much appreciated.

I have an app and enable both GET and POST in my bubble api
I then protect and api workflows with an api token (I don’t have any in this application but I’ve enabled it anyway to demonstrate the point)

Am I correct in thinking that then eveything and all things (unless i restrict restrict these based on privacy roles) will be subsequently available to anyone