Ok, if there is no technical limitation making it impossible I will file a feedback. Because if we cannot use attestation for all requests to an endpoint which should be protected for all clients (with e.g. widget extension being a client doing calls) it effectively stays "open" or needs a special handling for the widget calls.