Privilege escalation and circumvention of permission to limited access user

Scenario: Test shopify shop : https://elamaranhack.myshopify.com/admin User1 : [email protected](X) - Account Owner(Shop Admin) User2 : [email protected](Y) - Limited access user(access to Sales Channels Overviews only) Limited access user(Y) who don't have permission to access home page activities is able to see all shop owner activities using the request "https://elamaranhack.myshopify.com/admin/dashboard/activity_feed?activity_pages=XXXX&activity_filter=all" where XXXX is page number Steps to reproduce: 1) Created users X & Y with above mentioned permissions(X1.png,X2.png) 2) Shop admin X views his activities using url "https://elamaranhack.myshopify.com/admin/activity" (X3.png,X4.png) 3) If limited access user Y tried to view shop admin activities, the system blocks the url rightly (Y1.png) 4) There is one option for shop admin X to load more activities using url "https://elamaranhack.myshopify.com/admin/dashboard/activity_feed?activity_pages=XXXX&activity_filter=all" where XXXX is page number (X5.png, X6.png) 5) If the limited access user Y use the url "https://elamaranhack.myshopify.com/admin/dashboard/activity_feed?activity_pages=XXXX&activity_filter=all" , he can able to view all shop admin activities (Y2.png, Y3.png) Error screenshots attached for reference.