Is there a best practice for the case where relationships resource objects are not authorized to be fetched even when fetching their “parent” resource object is allowed? Potential options could be to “hide” those relationships’ resource linkage resource identifier object(s) by returning
null for a to-one relationship or omitting some or all array elements for a to-many.
Hiding the relationships has the advantage of protecting the disallowed resource object(s) from being fetched (even if it’s just the type and id) but the disadvantage of misrepresenting the lack of existence of relationships – which is OK by me if the child related resource is not allowing itself to be fetched.
An alternative would be to fail the entire fetch of the resource object, returning a not found error object (or set of error objects perhaps identifying that the related resource fetch was the cause).