This issue is a follow-up to #25902. @leofeyer, @Toflar and me re-analyzed the problem: The ResponseCacheStrategy sets the response to no-cache, must-revalidate if any of the responses is set to private. This is incorrect, as private means it should be cacheable by the browser, just not by any shared cache.

Because the Response::isCacheable method returns false if a response is private, the ResponseCacheStrategy replaces the private header with a no-cache, must-revalidate.

RFC 7234 says:

The "private" response directive indicates that the response message is intended for a single user and MUST NOT be stored by a shared cache. A private cache MAY store the response and reuse it for later requests, even if the response would normally be non-cacheable.

/cc @nicolas-grekas