In cases where a profile is not public and user is not logged-in or not authorized to view it, we should probably return a 404 instead of a 403 because the latter reveals the existence of the profile (and is also confusing to non-logged-in users).
We can probably use Response::denyAsNotFound() in the policy. See https://laravel.com/docs/10.x/authorization#customising-policy-response-status
In cases where a profile is not public and user is not logged-in or not authorized to view it, we should probably return a 404 instead of a 403 because the latter reveals the existence of the profile (and is also confusing to non-logged-in users).
We can probably use
Response::denyAsNotFound()in the policy. See https://laravel.com/docs/10.x/authorization#customising-policy-response-status