Just realized that when making a call to the enabled Data API, privacy rules are ignored.
I’ve set “When current Users is this things Creator” as the only rule for the exposed data types and then loading entering the endpoint in a incognito window (thought the cookie might be the cause), but still, the data is sent.
I don’t think this is intended behavior. Or is it?
Depends on how you authenticate to the Data API. When you authenticate with an authentication token to the Data API - you have full access, ie no privacy rules 
. When you authenticate with “Create Sign up/Login API workflows” to the Data API you get the privacy rules unless you tick the box “ignore privacy rules”. 
Explained in the manual …
https://manual.bubble.io/core-resources/api/introduction#authentication
Create Sign up/Login API workflows … Privacy rules will apply to this user as they would if the user was logging in the Bubble app and using it in their own browser.
I understand the auth implications. The problem here is that the calls where made from an incognito window. Meaning that no auth was used, and even though there were privacy rules (i.e. someone not logged in shouldn’t be able to query the API), the api returned the full data.
