Because Apex generally runs in system context, permissions, field-level security, and sharing rules aren't taken into account during code execution. This might put applications at risk of inadvertently exposing sensitive data.
- Apex classes that perform direct or indirect database access
- Apex web services
- Apex classes that expose any REST resources (via Apex REST annotations)
- Apex classes that are used as controllers by Visualforce pages, components
- Apex classes that are used by Lightning controllers
- This rule will not trigger on test classes