The global route middleware protects pages by redirecting users on the client. This is for UX, not a security boundary.
If you have sensitive data, enforce access on the server (API handlers, server routes, DB queries).
The built-in Nitro middleware only checks routeRules.role for /api/**.
If you want different behavior (e.g. enforce auth: 'user' for APIs), add your own Nitro middleware and/or call requireUserSession(event) directly inside handlers.
Unauthenticated users are redirected to /login when a page requires auth. If your app uses a different login path, create a /login route or implement your own route middleware.