I guess I just assume a good architect would enforce authorization with an identity server and never put anything important on the client.