ERPNext.com Frappe Cloud Support Partners Foundation Frappe School

All the Doctypes accessible via REST to all Customers

We have authentication process setup for customer using which they can access quotation on the website(UI) . The frappe system exposes all the DOCTYPE to an authenticated customer which may or may not belong to him on the /api/resource/{doctype}/{name} endpoint as suggested in documentation.

ex - “curl -X GET -k -i ‘https://example.com/api/resource/PC/PC00631’” logged in as customer.
Gives us a valid doctype response via REST call.

This risks our internal doctypes and other customer’s data privacy.
Could anyone point out solutions or workarounds to solve this issue?