I have reported what I think could be an issue in relation fields.
TLDR: custom content-type with a relation field -> set a private element as the related element -> set the custom object as public -> you can access (maybe only read?) the private element from the public element as anonymous.
Thoughts? Is this behavior needed somewhere or is it actually an issue?