The idea is that the site devs should be able to define permissions for anonymous API requests (API requests without any authentication whatsoever).
This could be solved by allowing the magic
nobody role to have permissions in the blueprints. The default permissions would of course still be completely locked down, so site devs need to explicitly whitelist anonymous access.
The next step would be to allow anonymous API requests in general (don’t block them all together), but assign them the nobody user so that the permissions system gets to check whether the current request is allowed or not.