Comment 1 for bug 1933784

a) This would seem a bug of the API instead of the client, the latter can only respond with what it gets from the API.
b) In my understanding the details of the blacklist regexes are hidden from users by design, so exposing any of the information you are mentioning might undermine what some deployers consider a security feature.
Maybe a deployer can change the access permissions for the blacklist API via a different policy, but I'm not convinced that the current default behavior is wrong and would need to be changed.