1. Salesforce Apex Developer Guide, "Using the with sharing, without sharing, and inherited sharing Keywords":
"An Apex class with the @AuraEnabled annotation that is called from a Lightning component (Aura or LWC) defaults to without sharing." This statement confirms that developers must take explicit action to enforce sharing for LWC controllers.
2. Salesforce Secure Coding Guide, "Enforcing Sharing Rules":
"By default, Apex code runs in system context... The only exceptions to this rule are Apex code that is executed with the executeAnonymous call and Chatter in Apex. To enforce sharing rules, you must declare the class with the with sharing keyword." This highlights the developer's responsibility to enforce sharing.
3. Salesforce Apex Developer Guide, "Enforcing Object and Field Permissions":
This section details the use of Schema Describe methods like isAccessible(), isCreateable(), and isUpdateable() to verify a user's access to objects and fields (FLS), which is distinct from the record-level sharing enforced by the with sharing keyword. This clarifies the inaccuracy of option C.
4. Salesforce Apex Developer Guide, "Testing with runAs":
"The runAs method enables you to write test methods that change the user context to an existing user or a new user so that the user’s record sharing is enforced." This confirms that runAs is a testing tool used to verify sharing behavior.