Based on this ticket:
Authorization should be skipped in case of public endpoints with DISABLED enforcement mode.
This is not true in case of version 4.3.Final.
In case of no security context (anonymous access), despite the endpoints being public, response code 403 is returned togather with correct body.
Paths enforcement mode is not even taken into consideration in such a case -> createEmptyAuthorizationContext(false) is always returned.
In my opinion despite missing security context, path config should be evaluated before this check is made and work the same way as whole PolicyEnforcer EnforcementMode.DISABLED is.