The issue was addressed with additional permissions checks. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3 and iPadOS 17.3. A shortcut may be able to use sensitive data with certain actions without prompting the user.
seclists.org/fulldisclosure/2024/Jan/33
seclists.org/fulldisclosure/2024/Jan/36
seclists.org/fulldisclosure/2024/Jan/39
seclists.org/fulldisclosure/2024/Mar/22
seclists.org/fulldisclosure/2024/Mar/23
support.apple.com/en-us/HT214059
support.apple.com/en-us/HT214060
support.apple.com/en-us/HT214061
support.apple.com/kb/HT214082
support.apple.com/kb/HT214083
support.apple.com/kb/HT214085