Whether a user is admin is sensitive information IMO; is it possible to not show the a. admin and b. trust_level field in the /latest.json response page for 1. unauthenticated users and 2. all users?
I’ve written one that hides my user from the admin list. I’m not entirely sure that it hides my user from that json load, but I think it might?
It was part of a larger plugin, so I don’t think I have that bit publicly available. I can try to post the key bits here, or you can contact me if you have a budget and want me to do it for you.
I did not know that the about page lists moderators and admins, so that explains why it is not treated as sensitive information. I have my answer, thanks all for the quick responses, much appreciated!