I discovered, that even with the smallest amount of user privileges (just enough to login) I am able to get name & email addresses of other available users.
I verified that in my live frappecloud account, where I was able to read 82 user data of frappe employees/users.
I accomplished this with with the search_link / search_widget service, which is used for value helps.
So at this point I don’t want to get deeper, as the problem is obviously still present.
Please tell me, who will be able to sort that out → I’ll send all details via DM.