Currently:

If jwt-aud is not set (the default), PostgREST identifies with all audiences and allows the JWT for any aud claim.

On the other hand RFC 7519 says:

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

While RFC wording is vague I am convinced we MUST reject JWTs containing aud claim if jwt-aud is empty (ie. empty jwt-aud means we only accept JWTs without aud claim).

My reasoning is: we should stop thinking about "protecting the system" and start thinking about "protecting user data processed by the system". In this context, the threat aud claim is supposed to protect against, is that an attacker steals a JWT and tries to use it to access user's data in unrelated context. Empty jwt-aud right now is hence a security hole. We should be secure by default so misconfiguration (ie. missing jwt-aud) should not lead to security breach. If an administrator wants to accept any aud claim then it should be configured explicitly.

The simplest solution I can think of is to make jwt-aud a regular expression with \b\B (ie. reject anything) as a default value. It can be set explicitly to .* to match anything and also to aud1|aud2|aud3 to address #2099

This was first discussed in #4132 but I think it is worth creating a separate issue for this.