Frans Rosén published an article describing access control flaws in CloudKit which allowed him to delete Shortcuts of other users.
Article contains in-depth analysis of the flaw and also provides good overview of CloudKit design.
Detectify: Hacking CloudKit – How I accidentally deleted your Apple Shortcuts
Reference: Exploit found in CloudKit let developer delete other users’ Shortcuts
Recommendations
Developer:
Review the CloudKit architecture design.QA engineer:
Consider using some of the approaches for testing purposes.PM/DM:
Business as usual.