@Adam I need more information. It looks like RSS hooks have proper privilege checking in place. What specific backend.php URL calls are causing a leak of info? And where are these calls located?
Ignore; I found the issue. I'm assuming it's opml because I saw some feeds listed that guests normally would not have access. I added a clause to hide those for guests.
backend.php opml mode was publicising all available feeds, even ones guests would not be able to access.
This patch hot-fudges a list of feeds we don't want to promote to guests; they will no longer display in the opml feed.
However in v11, we should add a new method in the RSS hooks for privilege checking (based on current member) and use that instead.
https://gitlab.com/composr-foundation/composr/-/commit/e25cffa0ff26d49d1b48b2a62694a57855563972