Editing restrictions on the API filter parameter

Hello everyone,

I was recently using the API filter parameter when I noticed: Not everyone was allowed to use it the same way.

In my case:

{{BaseURL}}/ApiServer/portal/attestation/approve?
filter=
[{"Type":2,"Expression":{"Expressions":
[{"PropertyId":"UID_AttestationPolicy","Operator":"=","LogOperator":0,"Value":"3f09c5e3-3552-4a5e-887f-0a6372e87fbb"},{"PropertyId":"UID_AttestationPolicy","Operator":"=","LogOperator":0,"Value":"4a105f04-a00f-41c4-a830-e14767b886aa"},{"PropertyId":"UID_AttestationPolicy","Operator":"=","LogOperator":0,"Value":"0320076f-f346-496d-a772-6139b485c711"}
],"LogOperator":1}}]

The exact call is not that important but I noticed some people will get the error 'This expression contains unsupported elements'. 

When these people run /portal/dynamicgroup/sqlwizard/tables/AttestationCase/columns they also get less columns back.

Also something that really makes no sense to me is that for one singular condition in the filter everyone can filter everything. So it can not be a security feature or it does not work.

Long story short: as I cannot look into the call itself does anyone know about this behavior and also know where I can configure it?

Thank you

Lennart