@Paulo I understand what you guys are suspecting. The api doesn't use any user information (like getting username or userid from token, auth headers etc.) to run the query.
select
po.id,
po.name,
po."displayName",
po.description,
po."recurringPrice",
po."nonRecurringPrice",
pi."imageObjectId",
json_agg(json_build_object('characteristic', characteristic, 'isPresent', "isPresent") order by "isPresent" desc) as characteristics,
SUM(CASE WHEN psc."isPresent" = 'Yes' THEN 1 ELSE 0 END) AS featureCount
from
catalog_management_product_offering po
LEFT JOIN product_specific_characteristics psc ON po.id = psc."productId"
LEFT JOIN sdwan_product_images pi ON po.name = pi."productName"
GROUP BY po.id, pi."imageObjectId", po.name
order by featureCount
This is the entire query. As you can see, there are no variables in it, no user variables fetched from token, auth headers etc.