A security issue involving bookmarks has been filed, where we're not
restricting both the API and UI to access private bookmarks. Would
somebody be interested in writing a patch to address these problems?
Ticket is Bug #13828: CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks - Foreman and I've added a
few notes about related issues. A CVE will be assigned in due course.
Thanks!