/me endpoint should respect access rules

[foopis23]

I want to be able to store secret data for a user. Only the API should be also to use this information for things like access control, but I don't want to able available in the admin portal or in the api. This is pretty easy, you just do something like this for auth collection.

{
    slug: 'users',
    auth: true,
    {
         name: 'secret',
         type: 'text',
         access: {
              read: () => false,
              create: () => false,
              update: () => false,
        }
    }
}

This is all fine and dandy, except for one endpoint. The api/{collectionName}/me endpoint returns user data where even when the user doesn't have access. This is just because it is just returning a slightly modified version of req.user, as seen here https://github.com/payloadcms/payload/blob/master/src/auth/operations/me.ts. You also can't make an afterRead hook to remove the data because then it removes it from req.user. I still want the data on the backend, but I just don't want it to be passed to the frontend.

If you need to remove data, you can use the afterMe hook to remove it, but it just seems like the /me endpoint should respect access control.