Several read endpoints authenticate but never scope results to the caller:
GET /donors, GET /donations (donors lambda)
GET /expenditures with no projectId filter (expenditures lambda)
GET /reports (reports lambda)
Any authenticated user can read all rows regardless of project membership. Add membership/admin scoping (reuse canAccessProject pattern) or filter by the caller's projects.
Several read endpoints authenticate but never scope results to the caller:
GET /donors,GET /donations(donors lambda)GET /expenditureswith no projectId filter (expenditures lambda)GET /reports(reports lambda)Any authenticated user can read all rows regardless of project membership. Add membership/admin scoping (reuse
canAccessProjectpattern) or filter by the caller's projects.