Security considerations for the "test" operation

[spaceone]

I don't want to file an erratum but just mention it here. Maybe you want to incorporate this idea into the security considerations.

Often backends have the full data set but restrict writing certain items, so that replaceing a value would not be possible.
But testing for a value would be possible.
Imagine the data structure has some plaintext secrets like {"password: "foobar", …},
then a {"op": "test", "path": "/password", "value": "foobar"} would successfully reveal a matching password, if no restrictions exists for allowed-to-read keys.