I’ve been plugging away at building some custom forms and noticed that the server function frappe.get_doc does not security trim. Particularly field perm level. It seems odd to me to use ignore_permissions everywhere but here. Would it not be better to include security trimming by default in the get_doc function?
This is a problem for me, because the web_form function get_form_data does not call doc.apply_fieldlevel_read_permissions(), which end up leaking fields to customers!