Private Worlds can have public instances via API
BobyStar
Private worlds in VRChat are really only unlisted, they can have public instances and group instances like any other world despite the game and the website not allowing this.
A player with a link to a world can make any instance type (regardless of the publish status) using the API. This is especially easy with third party tools such as VRCX.
I propose two solutions:
Change the Private status name to Unlisted to let creators know the world is fully accessible via the link and any instance type can be made (website, in-game, or api).
OR
Server side block public and groups public instances for private worlds.
Log In
owlboy
I would be interested in options to disable Public AND/OR Group Public via the world settings. (similar to turning on or off other features in a world).
I would also be interested in world authors being able to bypass these settings.
I would also be interested in world authors being able to delegate the same permissions to others. So that event collaborators and runners can also bypass the settings.