Client-side filtering of private data is a bad idea

The dating app Feeld claimed users' preferences were private, but security testing revealed the app's GraphQL API exposed sensitive data like "lookingFor" and "ageRange" fields. Hidden profiles and partnership information were also accessible despite not being displayed in the UI. The issues have since been fixed after being reported to the company.