Frans Rosén published an article describing access control flaws in CloudKit which allowed him to delete Shortcuts of other users.
Article contains in-depth analysis of the flaw and also provides good overview of CloudKit design.
Developer:Review the CloudKit architecture design.
QA engineer:Consider using some of the approaches for testing purposes.
PM/DM:Business as usual.