Describe the feature you'd like to add to nginx

HTTP Caching spec (RFC9111) defines that "A shared cache MUST NOT use a cached response to a request with an Authorization header field" unless it has response directives in its Cache-Control field.

This should be supported in nginx as well as other popular libraries (see https://cache-tests.fyi/).

Describe the problem this feature solves

Nginx may incorrectly serve cached responses to authenticated requests, potentially exposing sensitive user-specific data because currently it uses cached response even if the request has Authorization header.

Additional context

Add any other context about the feature request here.