Security Issue -- Why Does the Data API return a success response for unauthorized users?

Because you allowed them to, by virtue of enabling the data API. If you don’t want them to, disable the data API. You can create a backend workflow if you want that will accomplish the same thing as the data API (though your backend workflow will also be public so what’s the point?)

If you have privacy rules, the data is secure.

I cannot emphasise this enough:

Privacy rules are the only thing that protect data visibility in Bubble. No matter if your data API is enabled/disabled, backend workflows exist/don’t exist… any data permitted by privacy rules is accessible.

You may find some info in this thread useful: