Yes, our general solution here is using the blocked onebox domains site setting.
Add all the internal “requires login” URLs into that list.
I do wonder @nat/@codinghorror if we should add a sledghammer setting here.
block onebox on redirect - that setting can completely block any oneboxes if a redirect gets involved. It gives a very simple lever to control this behavior unconditionally across multiple domains.