The error description returned with a 401 response, gives a recoverySuggestion: "If you're calling an Amplify-generated API, make sure to set the "authMode" in generateClient({ authMode: '...' })to the backend authorization rule's auth provider ('apiKey', 'userPool', 'iam', 'oidc', 'lambda')"

Applying this to the list query (goal is to allow read-access by default and apply a group-basis protection for create, update and delete), gives expected results :

todos_list(): Observable<Todo[]> {
        return from(this.registrationService.getCurrentUser()).pipe(
          map((authData: { userId?: string }) => {
                return authData.userId ? 'userPool' : 'identityPool'; }),       
          switchMap((authMode) => {
            return new Observable<Todo[]>((observer) => {
              const client = generateClient<Schema>();
              client.models.Todo.list({ authMode: authMode })
                .then(            // .... rest of code