Hello, I'm really sorry you had this unexpected exposure using ApostropheCMS. As you've mentioned, this data sharing was noted in the documentation but can still prove surprising.
A note for future researchers: the currently supported major version of Apostrophe no longer behaves in this way. Any data injection to the logged-out front-end would be a choice made at the developer level, specifically to avoid this sort of surprise.
That said, there are still use cases for including API keys as part of the configuration and 'content' of certain types of widgets.
For context, I am the head of design at Apostrophe and also play an engineering role.
Yeah, I didn't want to dunk on ApostropheCMS, this was our responsibility for not understanding the tech. I made another comment hoping to make that clear.
Overall it's a great & in current headless craze a unique product. V3 looks very good, but we never got that in production.
A note for future researchers: the currently supported major version of Apostrophe no longer behaves in this way. Any data injection to the logged-out front-end would be a choice made at the developer level, specifically to avoid this sort of surprise.
That said, there are still use cases for including API keys as part of the configuration and 'content' of certain types of widgets.
For context, I am the head of design at Apostrophe and also play an engineering role.