A01:2021-Broken Access Control is the category with the most serious web
application security risk.
Using scope.all in templates violates the principle of least privilege
or deny by default, where access should only be granted for particular
capabilities, roles, or users.
This change improves the security of default templates
Closes https://github.com/varvet/pundit/pull/711 (original issue and pull request)