Comment 7 for bug 1186059

That sounds like a perfectly valid reason for requiring that those calls require authorization, however it's a corner case that doesn't necessarily support requiring authorization out of the box. policy.json is intended to be customized, after all.

Also, if someone has access to your token and is using it, they are not impersonating you, they are simply stealing your identity without traceability.