The following API…
https://games.roblox.com/docs#!/Games/get_v2_users_userId_games
Does not respect a user’s hidden inventory settings, and will show all games created by a certain user.
For the safety of the user, certain information has been redacted.
As we can see, this lucky volunteer’s inventory is hidden
However, if we send a request to the API, the inventory of places is public.
Obviously, this post had information redacted for user safety, but you are free to try the API yourself on any hidden inventory (please do it on your own user in an incognito window if you can).
This bug is a massive security risk as it completely ignores a privacy setting that was added so users and developers could protect items in their inventories.