Fooled by parse. I thought that I could query by sessionToken in order to authenticate users on the client end, but it looks like they (rightly) omit the sessionToken from the allowed queryable parameters, and return a list of all users. Removing tests that gave the idea that such thing was possible.
