Possible to restrict RPC calls to only custom RPC functions without authentication?

  1. My goal is: restrict which RPC functions are callable but with no remote authentication
  2. My actions are: using https://mongoose-os.com/docs/mongoose-os/userguide/security.md we have successfully implemented Enable authentication and Enable authorization. We want to restrict which RPC functions can be called, but not require any user:pass authentication.
  3. The result I see is: have not gotten that to work
  4. My expectation & question is: I hope we can restrict which RPCs are accessible but not require a username and/or password.

mdash.net implements that functionality.
It works this way: a device has a set of RPC functions, device shadow and associated database data. You can define an ACL that specifies, which RPC functions, which shadow keys, and which SQL queries are visible to the external user.

See https://mdash.net/docs/userguide/intro.md#acl.
A similar functionality could be developed purely on a device itself, but that is something Mongoose OS does not provide out of the box and requires custom development.