In another comment, a Posthog security engineer mentions that this was resolved previously for their cloud-hosted product: https://news.ycombinator.com/item?id=46307696