I don't think the problem is in architecture. API might be sometimes easier to analyze because it usually has a detailed description, often even in machine-readable form.
> It's also easy to use marshalling tools/framework features that serialize entire domain objects, which contain sensitive IDs/data that is then inadvertently leaked.
This is just poor code quality. Sensitive data can be hidden in HTML attributes and inline scripts too.
> It's also easy to use marshalling tools/framework features that serialize entire domain objects, which contain sensitive IDs/data that is then inadvertently leaked.
This is just poor code quality. Sensitive data can be hidden in HTML attributes and inline scripts too.