Unauthenticated requests succeed (e.g., curl http://weaviate:8080/v1/meta returns data instead of 401) despite setting AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false' in config.

Weaviate enables anonymous access by default when no other authentication methods are explicitly configured. Setting AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false' alone does not suffice if API key and OIDC are also disabled/not set - the system interprets this as fallback to anon auth.