The answer might be 'it depends'

You’re in charge of a server that provides two types of assets. The first type is public and its visibility is important to your company. The second should be restricted access only and shouldn’t be public.

Now suppose there is a mistake made and the private material is exposed publicly - what’s more important, that the public data is available or that the private data isn’t? Who’d make that decision where you work? How long would it take to get an answer from them?