http://e26whn2524322mkxb3cbyk27ev2ihhq2biz35hty7gzgsyrwrygq27yd.onion/posts/blog/security/restricting-unauthenticated-access-to-mastodons-public-feeds.html
If the instance publishes to ActivityPub Relays, activity could potentially be pulled from them instead (although there is potentially still some benefit/protection from being mixed in with activity from other instances) If public signups are permitted, an adversary could create a legitimate account in order to use a legitimate token in their scraping requests.