Per my suggested solution in comment 17, regarding backports, I think the API behavior change is OK on stable in this case since we'd be:
1. secure by default
2. justify the change b/c of security
3. have a release note
4. and the policy rule allows a deployer to re-expose the leaks if they want, e.g. to their private cloud CI/CD dev team that is all internal traffic
Per my suggested solution in comment 17, regarding backports, I think the API behavior change is OK on stable in this case since we'd be:
1. secure by default
2. justify the change b/c of security
3. have a release note
4. and the policy rule allows a deployer to re-expose the leaks if they want, e.g. to their private cloud CI/CD dev team that is all internal traffic