I usually write an authorization test to ensure that all our API routes use Gates for security. The test specifically checks routes that are prefixed with api/ and use the auth:sanctum middleware. It skips empty methods, what do you think about this.

Many developers overlook authorization, Assuming Authentication is Sufficient.

medium.com/@tlhthr/testing-api-authorization-using-pest-laravel-085b16ca43ca