Restapi caches permission checks for fields on object

My env:
Plone == 6.1.1
Python == 3.12.8
plone.restapi == 9.13.3

Issue: Exposing of protected information

Reproduce:

1. Protect any field with a permission not given to an anonymous user
2. Make request with Manager account, which has the permission --> Field is in response
3. Make a request as an anonymous user to same object, WITHOUT the permission --> Field is still there!!
4. Reboot the instance and make a new request as an anonymous user. --> Field is gone.

I'm not sure if this is intentional, or not.
But in my case, it exposes information I don't want to.

It got implemented here: Add `@inherit` service to get inherited behavior values (#1887) · plone/plone.restapi@763ce18 · GitHub

Which clearly is meant to be stored on the object, but no committed (volatile).

Before it was "cached" only in the serializer instance: Add `@inherit` service to get inherited behavior values (#1887) · plone/plone.restapi@763ce18 · GitHub Which is IMHO the correct way to do this.

Any insights or thoughts?

Just in case, I created a PR for the issue to fix it. Fix permission check in schema serializer by maethu · Pull Request #1916 · plone/plone.restapi · GitHub

I think you're right, the permission_cache does not depend on the role.