Can attributes be sent to the client without being used?

Hi there, I come from a traditional development background and have pivoted into security testing. That means I get to look at maaaaany development frameworks from a security  angle, when testing applications built with these technologies. That is to say: Help! I have some previous knowledge, but now I really need to understand Mendix. From what I have gathered so far Mendix has a great Security Model and helps to avoid many of the classical error is areas like Input Validation (XSS, SQLi). From skimming the documentation about Runtime Security and AppSec Best Practices I got the impression that the most likely security problems with a Mendix Application are likely related to authorization i.e. developers setting overly generous access rules. Now how would that look from client perspective? Is it basically “what you see is all there is” i.e only attributes used in a form are sent to the client? Or could it happen that the runtime sends an object with all (even unintentionally readable) attributes to the client, but only a subset of the attributes are used in a form? Sorry for the wall of text. Just a Mendix newcomer trying to learn as much as possible in the short time frame I have
1 answers

Object with all readable attributes are send to the client. This is needed for page rendering. Not all attributes need to be displayed, but could be used for dynamic pages for example