Disabling --auth-jwt-rs256-crt allows parties to view encrypted data?

First I run,

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>' --auth-jwt-rs256-crt rsa_cert.pem

And run various scripts that create a few a contract with a party with a valid jwt token.

When I log into navigator with a valid access-token-file I can view the contracts.

However, when I run

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>' 

With --auth-jwt-rs256-crt disabled I can still log into the navigator as a party and view the contracts.

Why is this the case? Shouldn’t the contracts be encrypted and therefore not viewable without a valid jwt access token? Or is all the data non-encrypted and therefore --auth-jwt-rs256-crt only affects then authentication layer? Or am I running some test or sandbox configuration without realizing it?

How does this behaviour compare to Canton or other ledgers?

The authorization via JWTs is purely an access control on the API. It does not affect what data is stored and how. So you can switch between authorization flags (including disabling authorization) without any issues.