Mass Assignment Medium: Internal Feature Flags

• This version tries to look safer because it uses an allowlist.
• The problem is that the allowlist still includes internal-only properties.
• Think about fields a browser form could submit even if the visible UI does not show them.

A formal allowlist only helps if it contains truly client-editable fields. If internal properties are included, attackers can still assign privileged values.