Hi @YuvalW , if it helps I would think of the private setting as separate from the Authentication section.
If a function is not set to private, it can be called via the client api as Tyler mentioned. If it is private, then it cannot be called via the client API. This is currently the only restriction that the private setting is applied to
Authentication is separate. Regardless if a function is private or not, the authentication piece determines if the caller is allowed to execute the function. For example, if the function is tied to an HTTPS Endpoint and authentication is set to “System”, then anybody can call the HTTPS Endpoint and invoke the function. The System setting also bypasses data access permissions which is likely not what you want.
To answer your use case, you could create a function that is set to “System” authentication and create another function that uses Application Authentication that calls the first function. Does that solve your use case?