At the time, each client side call to the reflection helpers was creating the right privilege block. I think the intend later was to DRY and mutualise the code but that opened up that privilege hole.

that sounds about right