Rest query returning resuts without Authorization

Please see the bellow image, I am not sending Authorization header and I still get results in my rest query. even in chrome incognito plain GET request i get results.
What am I missing, how come my rest query is not protected

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<queries xmlns="">
    <query entity="crm$ProductEntity"
            <![CDATA[select p from crm$ProductEntity p where p.tenantId=:tenantId]]>
            <param name="tenantId" type="java.lang.String" />


Did you enable anonymous access for REST-API?

@artamonov sure I have anonimouse ebabled, this is how my site communicates the server to register new user.
The anonimouse user does not have access to the ProductEntity and the permissions.

If the anonymous user doesn’t have permissions for reading the “ProductEntity”, then no data should be returned and you should get the 403 error back. Please check permissions for the “anonymous” user once again carefully. If you’re sure that permissions are fine then please create a small demo project where the problem can be reproduced and attach it here.

As best practice, you should really have your site do some basic authentication as well.