You should use sanitizeEntity function, which removes all private fields from the model and its relations.
Take a look in documentation, at the Utils section:
https://strapi.io/documentation/v3.x/concepts/controllers.html#core-controllers
1 Like