How to securely protect Private fields in Strapi from being updated by users?

For the Users Collection Types (not Admins), I have fields such as firstName, lastName, which users can update freely.

However, I also have a field in the same Users Collection called rank which they should NOT be able to update on their own, but instead the rank field should only be updated server side via Token (following this Doc: API Tokens - Strapi Developer Documentation)

Although I tried making the rank field “Private” under Advanced Settings Tab, which prevented the rank field from being returned in the Response, Users can still update the rank field if they were to guess the key for it, which is not secure.

Is there a way to prevent Users from updating certain fields in addition to not showing up in the API response?


Really strange that this isn’t adressed or taken care of