A colleague of mine discovered that with LTI authentication, any instructor who manages any LTI course can add themselves (and potentially their students) to any webwork course. They just follow the directions for creating a webwork tool-provider link, using the URL for that course rather than their own. (Then to get themselves in by clicking this link, they may have to switch to "student view".) That is, there is no verification of any linkage between the instructor of the LTI course and the instructor of the webwork course.
(Actually I only know that this works for Blackboard, but I assume other LTIs behave similarly.)
Is this intentional? It's not much of a security problem, as the LTI only creates student-level accounts; but I could imagine an instructor being unhappily surprised that colleagues could snoop on their webwork problem sets without permission. And I could also imagine it happening by accident, e.g. if someone creates their LTI link by copy-pasting from someone else's without thinking.