As of right now, all routes registed by the plugin don't seem to be secured in any way.
This means anyone could access and read the data.

Example route: http://localhost:8096/emby/user_usage_stats/user_activity
It's not limited to localhost only.

Would like to see this limited to authorized admin users only.

This should be fixed now

Happy to report that it's indeed no longer publicly accessible from the looks of it.
Greatly appreciated.