Handle-Task route protection

[franzHauptWTD]

I am wondering why during the IdTokenValidation TaskHandler.php there is no check if the service account listed in the token matches the service account configured via STACKKIT_CLOUD_TASKS_SERVICE_EMAIL.

Without this check it would be possible to invoke the handle service route from a different queue.
Example - Assuming there are 2 cloud run services in 2 different google projects. Service A in project P1 and Service B in project P2.
Service A has the endpoint a-xyz.a.run.app/handle-task
Service B has the endpoint b-xyz.a.run.app/handle-task

Service A configures its STACKKIT_CLOUD_TASKS_HANDLER to point to Service B (b-xyz.a.run.app/handle-task).
Service A has a service account configured via STACKKIT_CLOUD_TASKS_SERVICE_EMAIL which has permission to add the task to its queue.
When the queue wants the task (created by service A) to be executed, the handle-task route from Service B is called. Within Service B the verifyToken will result in a valid google token and therefore the task is executed.

[marickvantuil]

I'm sorry, but I fail to see if this is a problem. IMO, this can be a valid use case: if the service account can push to another project's queue, then this should be allowed to happen?

Perhaps I misunderstand, in that case let me know.