Authorization model
Cookie-authenticated mutations require a WordPress REST nonce. Every endpoint repeats feature availability, audience, ownership, membership, privacy, and input validation appropriate to the action.
Cache safety
Private and real-time REST responses send no-store behavior so page caches do not serve one member's state to another.
Extension points
Use documented WordPress and BuddyPress hooks around native data. Do not bypass REST authorization by writing directly from public JavaScript.