Prevent users from accessing irrelevant kind4 events. AUTH is not required to query general events. The client can authenticate when it needs to retrieve kind4 events.
Discussion
Do you send a CLOSED+auth-required message when a non-authed user tries to read DMs? What is your relay?
When an non-auth user tries to read DMs, currently only a NOTICE message is returned, without sending an AUTH required message (which can be added if necessary). My relay is implemented based on https://github.com/CodyTseng/nostr-relay