There is a bug where if a user has Access to API enabled, but the Allow list is empty, they can still execute some API actions.

Scenario:

1. Edit the default User role, change API access from "Deny list" to "Allow list"
2. Optional: for better demonstration you can also remove all other access, except API access has to be enabled (see image below)
3. Create a regular user with this role
4. Some API methods can still be called (when they shouldn't)
5. Change the user role permissions again, in the Allow list add a single method
6. Now only the allowed API method works (as expected)

My user role config:

Expected:

As a user I would expect no API methods to work when the list is empty. This is further reinforced by the fact that they don't work when a single API method is added to the list.