An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
This vulnerability has been patched in Parse Server 4.3.0.
No
See commit 78239ac for details.