When calling particular actions, the API should check if the authenticated user has the permission to do that action.
Moreover, if the action involves another user or course, the API should check if the authenticated user has permission on that object.
let's say we're authenticating with an Administrator (not a God Admin) and he's calling user API, userdetails action on a certain user X.
In my opinion we should first check the authenticated user has permission to view users, and then if he has visibility on user X.
Differently, we should resign ourselves to the fact that the authenticated user will always have God privileges.