When anonymous access is blocked via a Data Security Policy (DSP) at the org level, anonymous users are still able to retrieve space metadata (space names, keys) through the REST API endpoint /wiki/api/v2/spaces.

The DSP currently blocks access to space content (pages, blogs, attachments), but allows the space information to be listed for anonymous users.

When anonymous access is set to 'blocked' as default, space anonymous access should also be changed.