Security/privacy issue: Any logged in user can see all other users

[AustinGil]

I noticed the user API route (/api/user.json) will return all the registered users as long as I am logged in. Even if I am logged in as just a guest.

I dont know, but this seems like a security or privacy issue. I dont think I want any user to be able to find out all the other users.