Testing for some issues I came across this problem, according to the rfc:
https://tools.ietf.org/html/rfc7234#section-3.2

3.2. Storing Responses to Authenticated Requests

A shared cache MUST NOT use a cached response to a request with an
Authorization header field (Section 4.2 of [RFC7235]) to satisfy any
subsequent request unless a cache directive that allows such
responses to be stored is present in the response.

In this specification, the following Cache-Control response
directives (Section 5.2.2) have such an effect: must-revalidate,
public, and s-maxage.

I tested here having s-maxage on a cached object, then sent requests with an auth header and it would always go upstream for the request as long as an auth header was attached. The only way to cache them was with the addition of public to the CC header

This was with 8.1.x