best option is to create a policy: Backend customization - Strapi Developer Documentation
Generalize the policy enough and store it as a global one, then you can attach that to any route where you want the drafts private.
1 Like