Authenticated per-user check
The homepage scan proves what an anonymous visitor can read. This one goes deeper: it logs in as two of your own test users and checks whether one can read the other’s rows — the horizontal privilege-escalation (BOLA) class that stays invisible to an anonymous probe. Because it authenticates as a real user, it runs only on a domain you’ve verified.