A Curator can see all workflows and their general info in the Admin area. This is fine. However, a Curator can also paste the app ID of a workflow in his/her regular gallery view and can download the workflow even if the workflow is not shared directly with the Curator.
For example, a user (regardless of role) access a workflow that's shared with him/her like this:
https://<alteryx server hostname>/gallery/#!app/<workflow name>/<workflowId>
A Curator can paste the workflowId of a workflow that he/she does not have access to in the URL, and access the workflow to download it. We think that this is a security/IP risk as we do not want our Curators (system admins, Support reps) to be able to perform such an action.
