Was looking over the monero-gui and from what I can tell it runs the wallet rpc locally without any authorization. Am i understanding this correctly

I'm ignoring the whole wallet unlock and close access control portion

<o​frnxmr:xmr.mx> No

<o​frnxmr:xmr.mx> clarify: wdym about runs the wallet rpc?

The wallet not daemon rpc, so default for mainnet it would be on the local network at 127.0.0.1:18088

overall my concern/thought was with a simple curl command if the user has their wallet open when running a local node with the usage of monero-gui, the wallet could be sweeped. So it would be a low difficulty, opportunistic way to steal funds. E.g. hey heres this new cool monero tool I made, person downloads or pulls in dependency and has their gui wallet unlocked, and the package build does a local curl request sweeping the wallet

the daemon is not a wallet remember

ahhh this doesn't use the wallet rpc at all, uses wallet2 native bindings for all wallet interactions it seems

<o​frnxmr:xmr.mx> wallet2_api

<o​frnxmr:xmr.mx> 18088 isnt a default port for anything