Is that a concern because GPS coordinates are more sensitive than the rest of the data exposed by the API?
Yes, I believe so. All other data exposed by the API are "publicly available" since all messages sent/received over the air are required to be open for public view.
Further more, when a user chooses to expose Pat on all network interfaces, they are likely to understand that anyone on the network will be able to view their messages. What concerns me the most is that the majority of users will not be aware that this endpoint could be used by an attacker to track the user's position in real time even though the web gui does not appear to expose that data.
If this gets merged: Find a Raspberry Pi with GPSd and Pat http enabled (for all network interfaces).. and you'll have a very decent GPS tracker.
A couple of comments on #159 suggest there are some reverse-proxy options (Apache HTTP or traefik.io) which solve the encryption/authentication issue. Does that resolve the data sensitivity issue?
No, it does not unfortunately. We would need to protect the API with some sort of authentication mechanism. Enabling Basic Auth with Apache or traefik.io will not work, since the JS client would need to know how to authenticate with the API.
We would also still have to make sure that we don't expose the endpoint on anything other than localhost.
Don't get me wrong, I would love to see this feature being added. I'm working on a review of PR #146 now, which will provide some suggestions to find a solution.
In the mean time, users should check out this post on how to enable GPSd as a source for Geolocation in Firefox/Chrome: