Better differentiate requirements for CS and SS API

proposals/4170-profile-403.md

@@ -50,17 +50,25 @@ by standardizing their 403 error response format and behaviour.
 
 ## Proposal
 
-Homeservers MUST allow profile look-up for local users that either share a room
-with the requester or reside in a public room known to the homeserver. Homeservers
-MAY deny profile look-up for local users in all other cases. If they do, they MUST
-respond with 403 `M_FORBIDDEN` on all endpoints that retrieve profile information.
+For the endpoints in the client-server API
 
-Additionally, homeservers SHOULD query remote servers for profiles if requested.
-Homeservers MAY disable profile look-up over federation. If they do, requests to
-`GET /_matrix/federation/v1/query/profile` MUST be replied to with 403 `M_FORBIDDEN`.
+- [`GET /_matrix/client/v3/profile/{userId}`]
+- [`GET /_matrix/client/v3/profile/{userId}/avatar_url`]
+- [`GET /_matrix/client/v3/profile/{userId}/displayname`]
+
+homeservers MUST at a minimum allow profile look-up for users that either share a room
+with the requester or reside in a public room known to the homeserver. In all other
+cases, homeservers MAY deny profile look-up by responding with 403 `M_FORBIDDEN`.
+
+If a remote user is queried through the client-server endpoints and the query is not
+denied per the preceding paragraph, homeservers SHOULD query the remote server for the
+user's profile information.
+
+Homeservers MAY disable profile look-up over federation by responding with 403 `M_FORBIDDEN`
+to [`GET /_matrix/federation/v1/query/profile`].
 
-Whenever profile look-up is disabled, the server's response MUST be 403 `M_FORBIDDEN`
-regardless of whether or not the user exists.
+Whenever profile look-up is disabled on any of the four endpoints, the server's
+response MUST be 403 `M_FORBIDDEN` regardless of whether the user exists or not.
 
 
 ## Potential issues