I see it now. To be on the safe side I always assumed you need on a condition on the api workflow itself because you could made up workflow calls on the client in the same way you can with data requests. I did try now and I see that I can bypass the restriction only for client side actions (eg toggle element) but it looks like backend actions have the workflow condition evaluated again.
that was fun to test. cheers 