$select backdoor to expand despite AllowedQueryOptions.Expand set to false

I am finally getting around to using the EnableBreezeQuery as described in #12, but I'm having an issue.

I've set the options to disable expand, so as expected, if I call: orders?$expand=privateObject, I'll get the expected error:

{
  "$id":"1",
  "$type":"System.Web.Http.HttpError, System.Web.Http",
  "Message":"The query specified in the URI is not valid. Query option 'Expand' is not allowed. To allow it, set the 'AllowedQueryOptions' property on EnableQueryAttribute or QueryValidationSettings.",
  "ExceptionMessage":"Query option 'Expand' is not allowed. To allow it, set the 'AllowedQueryOptions' property on EnableQueryAttribute or QueryValidationSettings.",
  "ExceptionType":"Microsoft.Data.OData.ODataException",
  "StackTrace":"   at System.Web.Http.OData.Query.Validators.ODataQueryValidator.ValidateQueryOptionAllowed(AllowedQueryOptions queryOption, AllowedQueryOptions allowed)\r\n   at System.Web.Http.OData.Query.Validators.ODataQueryValidator.Validate(ODataQueryOptions options, ODataValidationSettings validationSettings)\r\n   at System.Web.Http.OData.EnableQueryAttribute.ValidateQuery(HttpRequestMessage request, ODataQueryOptions queryOptions)\r\n   at Breeze.WebApi2.EnableBreezeQueryAttribute.ValidateQuery(HttpRequestMessage request, ODataQueryOptions queryOptions)\r\n   at System.Web.Http.OData.EnableQueryAttribute.ExecuteQuery(Object response, HttpRequestMessage request, HttpActionDescriptor actionDescriptor)\r\n   at System.Web.Http.OData.EnableQueryAttribute.OnActionExecuted(HttpActionExecutedContext actionExecutedContext)"
}

However, if I just call: orders?$select=privateObject, the privateObject will be returned. It looks like you can by pass the expand restriction by just use $select

Breeze / breeze.server.net

$select backdoor to expand despite AllowedQueryOptions.Expand set to false #26