Yeah. This is an issue with AEM out of the box user related components.
As you said, user node information should not be visible to end user.
However, in order to match a particular selector, AEM makes user node
accessible to everyone. Image same case on the publish server. We have
to read access to these nodes.In order to fix it, we may require to do
the customization in existing components. If you wanna try something,
here are a few hints:Do the sling mapping /home/users/ to "". This way, you ...