Security
Public proof is separate from private controls.
The public security page is indexable and testable. Private owner diagnostics, account APIs, preview controls, run history, and operational JSON are not public SEO assets.
Boundary
Owner diagnostics return request IP only to the authenticated owner. API routes and private account surfaces should be noindex, disallowed where appropriate, or absent from sitemaps.