T262396 added support for the X-Wikimedia-Debug to the API gateway.
Although the feature is obviously useful for testing the internal network, there are parts of it (cache-busting, read-only) that could become undocumented features.
I'd like to see handling for this header limited by client ID. If an API developer or SRE is using their development client ID to test the API gateway, great. But a public client won't get used to using the cache-busting feature in their production app and then find out that it's no longer allowed.
Not a high priority, but one worth considering in the future.