Trying here to be as correct as possible, as far as I understand it currently.…
This is hopefully one of the first posts about how to secure, setup, a proper APEX environment seen from a DBA perspective. Because this website is mainly about XMLDB, it is also about the XDB protocol server and currently not about using Apache or the (apparently another way of doing things) new upcoming APEX Listener.
The behavior of the XDB Protocol Server is controlled by its xdbconfig.xml file. This xdbconfig.xml file is restricted to an XML Schema called xdbconfig.xsd. Both can be found in the XMLDB folders. The xdbconfig.xml can be found in the root folder. The xdbconfig.xsd file is part of Oracle XML Schemata and can be found in the /sys/schemas/PUBLIC/xmlns.oracle.com/xdb/ folder.
The xdbconfig.xml and xdbconfig.xsd files are, as all files and folders in XMLDB, secured/controlled via Access Control Lists, ACL files. The xdbconfig.xml file is controlled via the /sys/acls/all_owner_acl.xml ACL file. The xdbconfig.xsd file is controlled via the /sys/acls/bootstrap_acl.xml ACL file.
The security ACL settings for those files (resources as files and folders are called in XMLDB):