This does not appear to really be an issue by itself, but it might be in the case of carelessly implemented Solution's to this problem that don't check permissions in message.jelly and expose private data on the overview page (even if checking permissions for any associated actions).