Comment 14 for bug 1840288

I grant that a trust ID on its own is not enough to get a token, and that moreover if someone had a trustee's credentials or intercepted token then that would already be enough to look up the trust, so the trust UUID itself is not especially sensitive information. I would not go as far as to say it is "public" information, and ideally we would make this API consistent with our other APIs by enforcing RBAC first before revealing the existence or nonexistence of a record in the database. But it is not a severe enough leak to warrant changing the API error response and so I agree with marking this Won't Fix.