I'm no security expert, but it's my understanding that the [Authorize] attribute protects the entire component, when it's an @page component that can be reached via the Blazor Router. If you want to call a method in the @code block of a component, I believe you still have to load that component. If that @page component is protected and the user is unauthorized, they shouldn't be able to call the methods in the @code block either. If I'm incorrect, hopefully someone else will chime in. The other thing that complicates things a bit is that Blazor WebAssembly apps run in the client, so they are susceptible to being manipulated and it becomes difficult to enforce the authorization access rules. However, since the code is likely calling an API to retrieve the data, which should have its own access rules for its controller or method being called, I believe that should limit the potential for unauthorized access. It's important to mention that the [Authorize] attribute doesn't work in child components, only components with the @page directive that can be accessed via the Blazor Router. For more information, please check out: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-5.0