All the Doctypes accessible via REST to all Customers

We have authentication process setup for customer using which they can access quotation on the website(UI) . The frappe system exposes all the DOCTYPE to an authenticated customer which may or may not belong to him on the /api/resource/{doctype}/{name} endpoint as suggested in documentation.

ex - “curl -X GET -k -i ‘https://example.com/api/resource/PC/PC00631’” logged in as customer.
Gives us a valid doctype response via REST call.

This risks our internal doctypes and other customer’s data privacy.
Could anyone point out solutions or workarounds to solve this issue?