How to keep /api/users endpoint off limits, but still allow filtering content by user?

OK. That sounds a bit better, indeed, albeit a more complex solution. Thank you! I’ll look into it.