By default, this privilege is typically granted to the role. If you are writing a script or integration service, the Application User or Service Account running the script must have a security role that includes this privilege. If the user lacks the privilege, the API call will ignore the header (and run the plugins) or fail, depending on the context.
Standard security controls (like role-based access) are technical gates. But custom logic lives inside the business processes. If an attacker manipulates that logic, they can: prvbypasscustombusinesslogic
CustomAsync : Bypasses only asynchronous plugins and classic workflows. CustomSync,CustomAsync : Bypasses both types. By default, this privilege is typically granted to the role
However, treat it like a surgical scalpel, not a sledgehammer. Use it to trim away unnecessary processing during migration, but never use it to bypass logic that protects the validity of your business data. CustomSync,CustomAsync : Bypasses both types