Yep.. in the function lti_build_request it specifically, as well, never adds the username (no if statements, no security checks/work arounds)
Basically one would to have either hack their/all moodles.. or just duplicate this code into a custom building block type of thing that just replicates it (also not good)