I'd agree with you in theory, but in practice, those API endpoints end up being exploit vectors for data leakage in various ways - either through actual security vulns or through the security vulnerability that exists between the monitor and the chair.