GitLab: Last build status and coverage leaked to unauthorized users

GitLab CI supports creating badges for the latest build/coverage on a certain branches. However, with restricted access, where users do not have access to pipelines, users still have access to the build/coverage status of any branch.
This access works for different configurations:

1. For public projects with restricted pipeline access, any user (the user does not need to be signed in) has access to this information
2. For internal projects with restricted pipeline access, any authenticated user has access to this information
3. For private projects, any Guest user of that project has access to this information

Steps to reproduce

1. Create a public repo, configure CI, and push some code. Consider the project namespace to be test/cibadges in these steps.
2. Restrict the visibility of whole repo to Project Members Only and disable Public builds in the CI settings
3. As a non-authenticated user visit the following page: https://example.gitlab.com/test/cibadges/badges/master/pipeline.svg

This will return a SVG image showing the build status of the master branch. This works for any other branch as well. The same thing also works with the coverage badge accessible via the following link https://example.gitlab.com/test/cibadges/badges/master/coverage.svg
The same works for the other configurations as mentioned above.

Even if repos and therefore also pipelines are completely disabled, the last build status/coverage still can be retrieved via the badges link.

Steps to mitigate

Perform proper authorization check handling a badge request

Impact

Users with restricted pipeline access can see the build/coverage status for different branches