Attributes are ignored for read actions in controller helpers

[afn]

Steps to reproduce

It appears that the attributes passed to can are only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to #index and #show actions.

See gist: https://gist.github.com/afn/441dfcf4ddc751b82f09af11bb356ba2

Expected behavior

When Ability restricts access to attributes on a :read action, the controller helpers for #index and #show should automatically select only the subset of attributes that are permitted.

Actual behavior

The resources assigned by load_and_authorize_resource include all attributes of the model, even ones that should not be accessible

System configuration

Rails version: 7.1

Ruby version: 3.3.2

CanCanCan version: 3.5.0