diff --git a/zerver/lib/events.py b/zerver/lib/events.py
index 07fddcfa8b..acaaff16c9 100644
--- a/zerver/lib/events.py
+++ b/zerver/lib/events.py
@@ -577,6 +577,12 @@ def fetch_initial_state_data(
         # abuse.
         state["giphy_api_key"] = settings.GIPHY_API_KEY if settings.GIPHY_API_KEY else ""
 
+    if user_profile is None:
+        # To ensure we have the correct user state set.
+        assert state["is_admin"] is False
+        assert state["is_owner"] is False
+        assert state["is_guest"] is True
+
     return state
 
 
diff --git a/zerver/views/message_fetch.py b/zerver/views/message_fetch.py
index ac4dcefa8a..b4ecf12031 100644
--- a/zerver/views/message_fetch.py
+++ b/zerver/views/message_fetch.py
@@ -965,6 +965,10 @@ def get_messages_backend(
         # cases of web-public queries (where we should return the
         # web-public results only) and clients with buggy
         # authentication code (where we should return an auth error).
+        #
+        # GetOldMessagesTest.test_unauthenticated_* tests ensure
+        # that we are not leaking any secure data (private messages and
+        # non web-public-stream messages) via this path.
         if not is_web_public_narrow(narrow):
             raise MissingAuthenticationError()
         assert narrow is not None