I’m not supporting their approach. Why can’t this be thought of as a control API with a built in allow list ? Where the list is hidden by obscurity