Ok, several points here. First, RBAC on Api Gateways is partially implemented (does not take into consideration OWASP API3:2019). Therefore request/response parameters per ROLE per endpoint are not being checked.

Second, caches on API Gateways do not check ROLE. So you can escalate privileges VIA FIFO by just being the next person to call that endpoint.

Via multiple talks with Apigee, Nginx, Kong and others, all security has to be duplicated in the API application to deal with issues like this... at which point, the api gateway becomes redundasnt.