diff --git a/apps/dav/composer/composer/autoload_classmap.php b/apps/dav/composer/composer/autoload_classmap.php
index 08c5b395b2e60..4eb7e248073a0 100644
--- a/apps/dav/composer/composer/autoload_classmap.php
+++ b/apps/dav/composer/composer/autoload_classmap.php
@@ -206,6 +206,7 @@
     'OCA\\DAV\\Comments\\EntityCollection' => $baseDir . '/../lib/Comments/EntityCollection.php',
     'OCA\\DAV\\Comments\\EntityTypeCollection' => $baseDir . '/../lib/Comments/EntityTypeCollection.php',
     'OCA\\DAV\\Comments\\RootCollection' => $baseDir . '/../lib/Comments/RootCollection.php',
+    'OCA\\DAV\\ConfigLexicon' => $baseDir . '/../lib/ConfigLexicon.php',
     'OCA\\DAV\\Connector\\LegacyDAVACL' => $baseDir . '/../lib/Connector/LegacyDAVACL.php',
     'OCA\\DAV\\Connector\\LegacyPublicAuth' => $baseDir . '/../lib/Connector/LegacyPublicAuth.php',
     'OCA\\DAV\\Connector\\Sabre\\AnonymousOptionsPlugin' => $baseDir . '/../lib/Connector/Sabre/AnonymousOptionsPlugin.php',
diff --git a/apps/dav/composer/composer/autoload_static.php b/apps/dav/composer/composer/autoload_static.php
index 4c7d43cddbfd5..fabf766109144 100644
--- a/apps/dav/composer/composer/autoload_static.php
+++ b/apps/dav/composer/composer/autoload_static.php
@@ -221,6 +221,7 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\Comments\\EntityCollection' => __DIR__ . '/..' . '/../lib/Comments/EntityCollection.php',
         'OCA\\DAV\\Comments\\EntityTypeCollection' => __DIR__ . '/..' . '/../lib/Comments/EntityTypeCollection.php',
         'OCA\\DAV\\Comments\\RootCollection' => __DIR__ . '/..' . '/../lib/Comments/RootCollection.php',
+        'OCA\\DAV\\ConfigLexicon' => __DIR__ . '/..' . '/../lib/ConfigLexicon.php',
         'OCA\\DAV\\Connector\\LegacyDAVACL' => __DIR__ . '/..' . '/../lib/Connector/LegacyDAVACL.php',
         'OCA\\DAV\\Connector\\LegacyPublicAuth' => __DIR__ . '/..' . '/../lib/Connector/LegacyPublicAuth.php',
         'OCA\\DAV\\Connector\\Sabre\\AnonymousOptionsPlugin' => __DIR__ . '/..' . '/../lib/Connector/Sabre/AnonymousOptionsPlugin.php',
diff --git a/apps/dav/lib/AppInfo/Application.php b/apps/dav/lib/AppInfo/Application.php
index dfc4216713d3e..a22b2cea72ecc 100644
--- a/apps/dav/lib/AppInfo/Application.php
+++ b/apps/dav/lib/AppInfo/Application.php
@@ -23,6 +23,7 @@
 use OCA\DAV\CardDAV\ContactsManager;
 use OCA\DAV\CardDAV\Notification\Notifier as NotifierCardDAV;
 use OCA\DAV\CardDAV\SyncService;
+use OCA\DAV\ConfigLexicon;
 use OCA\DAV\Events\AddressBookCreatedEvent;
 use OCA\DAV\Events\AddressBookDeletedEvent;
 use OCA\DAV\Events\AddressBookShareUpdatedEvent;
@@ -228,6 +229,8 @@ public function register(IRegistrationContext $context): void {
 		$context->registerDeclarativeSettings(SystemAddressBookSettings::class);
 		$context->registerEventListener(DeclarativeSettingsGetValueEvent::class, DavAdminSettingsListener::class);
 		$context->registerEventListener(DeclarativeSettingsSetValueEvent::class, DavAdminSettingsListener::class);
+
+		$context->registerConfigLexicon(ConfigLexicon::class);
 	}
 
 	public function boot(IBootContext $context): void {
diff --git a/apps/dav/lib/CardDAV/ContactsManager.php b/apps/dav/lib/CardDAV/ContactsManager.php
index b35137c902d50..89f1dbb39bd93 100644
--- a/apps/dav/lib/CardDAV/ContactsManager.php
+++ b/apps/dav/lib/CardDAV/ContactsManager.php
@@ -7,8 +7,11 @@
  */
 namespace OCA\DAV\CardDAV;
 
+use OCA\DAV\AppInfo\Application;
+use OCA\DAV\ConfigLexicon;
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 
@@ -23,6 +26,7 @@ public function __construct(
 		private CardDavBackend $backend,
 		private IL10N $l10n,
 		private PropertyMapper $propertyMapper,
+		private IAppConfig $appConfig,
 	) {
 	}
 
@@ -43,6 +47,11 @@ public function setupContactsProvider(IManager $cm, $userId, IURLGenerator $urlG
 	 * @param IURLGenerator $urlGenerator
 	 */
 	public function setupSystemContactsProvider(IManager $cm, ?string $userId, IURLGenerator $urlGenerator) {
+		$systemAddressBookExposed = $this->appConfig->getValueBool(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED);
+		if (!$systemAddressBookExposed) {
+			return;
+		}
+
 		$addressBooks = $this->backend->getAddressBooksForUser('principals/system/system');
 		$this->register($cm, $addressBooks, $urlGenerator, $userId);
 	}
diff --git a/apps/dav/lib/CardDAV/UserAddressBooks.php b/apps/dav/lib/CardDAV/UserAddressBooks.php
index e29e52e77dffd..2175939e709c0 100644
--- a/apps/dav/lib/CardDAV/UserAddressBooks.php
+++ b/apps/dav/lib/CardDAV/UserAddressBooks.php
@@ -9,11 +9,14 @@
  */
 namespace OCA\DAV\CardDAV;
 
+use OCA\DAV\AppInfo\Application;
 use OCA\DAV\AppInfo\PluginManager;
 use OCA\DAV\CardDAV\Integration\ExternalAddressBook;
 use OCA\DAV\CardDAV\Integration\IAddressBookProvider;
+use OCA\DAV\ConfigLexicon;
 use OCA\Federation\TrustedServers;
 use OCP\AppFramework\QueryException;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IL10N;
@@ -21,6 +24,7 @@
 use OCP\IUser;
 use OCP\IUserSession;
 use OCP\Server;
+use OCP\Util;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
 use Sabre\CardDAV\Backend;
@@ -30,11 +34,9 @@
 use function array_map;
 
 class UserAddressBooks extends \Sabre\CardDAV\AddressBookHome {
-	/** @var IL10N */
-	protected $l10n;
-
-	/** @var IConfig */
-	protected $config;
+	protected IL10N $l10n;
+	protected IConfig $config;
+	protected IAppConfig $appConfig;
 
 	public function __construct(
 		Backend\BackendInterface $carddavBackend,
@@ -44,6 +46,10 @@ public function __construct(
 		private ?IGroupManager $groupManager,
 	) {
 		parent::__construct($carddavBackend, $principalUri);
+
+		$this->l10n = Util::getL10N('dav');
+		$this->config = Server::get(IConfig::class);
+		$this->appConfig = Server::get(IAppConfig::class);
 	}
 
 	/**
@@ -52,19 +58,12 @@ public function __construct(
 	 * @return IAddressBook[]
 	 */
 	public function getChildren() {
-		if ($this->l10n === null) {
-			$this->l10n = \OC::$server->getL10N('dav');
-		}
-		if ($this->config === null) {
-			$this->config = Server::get(IConfig::class);
-		}
-
 		/** @var string|array $principal */
 		$principal = $this->principalUri;
 		$addressBooks = $this->carddavBackend->getAddressBooksForUser($this->principalUri);
 		// add the system address book
 		$systemAddressBook = null;
-		$systemAddressBookExposed = $this->config->getAppValue('dav', 'system_addressbook_exposed', 'yes') === 'yes';
+		$systemAddressBookExposed = $this->appConfig->getValueBool(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED);
 		if ($systemAddressBookExposed && is_string($principal) && $principal !== 'principals/system/system' && $this->carddavBackend instanceof CardDavBackend) {
 			$systemAddressBook = $this->carddavBackend->getAddressBooksByUri('principals/system/system', 'system');
 			if ($systemAddressBook !== null) {
diff --git a/apps/dav/lib/ConfigLexicon.php b/apps/dav/lib/ConfigLexicon.php
new file mode 100644
index 0000000000000..921c6f2036bb0
--- /dev/null
+++ b/apps/dav/lib/ConfigLexicon.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV;
+
+use OCP\Config\Lexicon\Entry;
+use OCP\Config\Lexicon\ILexicon;
+use OCP\Config\Lexicon\Strictness;
+use OCP\Config\ValueType;
+
+/**
+ * Config Lexicon for files_sharing.
+ *
+ * Please Add & Manage your Config Keys in that file and keep the Lexicon up to date!
+ *
+ * {@see ILexicon}
+ */
+class ConfigLexicon implements ILexicon {
+	public const SYSTEM_ADDRESSBOOK_EXPOSED = 'system_addressbook_exposed';
+
+	public function getStrictness(): Strictness {
+		return Strictness::NOTICE;
+	}
+
+	public function getAppConfigs(): array {
+		return [
+			new Entry(
+				self::SYSTEM_ADDRESSBOOK_EXPOSED,
+				ValueType::BOOL,
+				defaultRaw: true,
+				definition: 'Whether to not expose the system address book to users',
+				lazy: true,
+			),
+		];
+	}
+
+	public function getUserConfigs(): array {
+		return [];
+	}
+}
diff --git a/apps/dav/lib/Listener/DavAdminSettingsListener.php b/apps/dav/lib/Listener/DavAdminSettingsListener.php
index 69501915208b3..69966676e3476 100644
--- a/apps/dav/lib/Listener/DavAdminSettingsListener.php
+++ b/apps/dav/lib/Listener/DavAdminSettingsListener.php
@@ -8,6 +8,7 @@
 namespace OCA\DAV\Listener;
 
 use OCA\DAV\AppInfo\Application;
+use OCA\DAV\ConfigLexicon;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
 use OCP\IAppConfig;
@@ -46,20 +47,16 @@ public function handle(Event $event): void {
 	}
 
 	private function handleGetValue(DeclarativeSettingsGetValueEvent $event): void {
-
 		if ($event->getFieldId() === 'system_addressbook_enabled') {
-			$event->setValue((int)$this->config->getValueBool('dav', 'system_addressbook_exposed', true));
+			$event->setValue((int)$this->config->getValueBool(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED));
 		}
-
 	}
 
 	private function handleSetValue(DeclarativeSettingsSetValueEvent $event): void {
-
 		if ($event->getFieldId() === 'system_addressbook_enabled') {
-			$this->config->setValueBool('dav', 'system_addressbook_exposed', (bool)$event->getValue());
+			$this->config->setValueBool(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED, (bool)$event->getValue());
 			$event->stopPropagation();
 		}
-
 	}
 
 }
diff --git a/apps/dav/lib/Migration/DisableSystemAddressBook.php b/apps/dav/lib/Migration/DisableSystemAddressBook.php
index f2530c4a1b1a5..8c7f712275cc8 100644
--- a/apps/dav/lib/Migration/DisableSystemAddressBook.php
+++ b/apps/dav/lib/Migration/DisableSystemAddressBook.php
@@ -9,6 +9,7 @@
 namespace OCA\DAV\Migration;
 
 use OCA\DAV\AppInfo\Application;
+use OCA\DAV\ConfigLexicon;
 use OCP\AppFramework\Services\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IUserManager;
@@ -40,7 +41,7 @@ public function getName() {
 	 */
 	public function run(IOutput $output) {
 		// If the system address book exposure was previously set skip the repair step
-		if ($this->appConfig->hasAppKey('system_addressbook_exposed') === true) {
+		if ($this->appConfig->hasAppKey(ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED) === true) {
 			$output->info('Skipping repair step system address book exposed was previously set');
 			return;
 		}
@@ -50,7 +51,7 @@ public function run(IOutput $output) {
 			$output->info("Skipping repair step system address book has less then the threshold $limit of contacts no need to disable");
 			return;
 		}
-		$this->appConfig->setAppValueBool('system_addressbook_exposed', false);
+		$this->appConfig->setAppValueBool(ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED, false);
 		$output->warning("System address book disabled because it has more then the threshold of $limit contacts this can be re-enabled later");
 		// Notify all admin users about the system address book being disabled
 		foreach ($this->groupManager->get('admin')->getUsers() as $user) {
diff --git a/apps/dav/lib/SetupChecks/SystemAddressBookSize.php b/apps/dav/lib/SetupChecks/SystemAddressBookSize.php
index ad7d8b9c2cc2f..746ce609e47bd 100644
--- a/apps/dav/lib/SetupChecks/SystemAddressBookSize.php
+++ b/apps/dav/lib/SetupChecks/SystemAddressBookSize.php
@@ -10,6 +10,7 @@
 namespace OCA\DAV\SetupChecks;
 
 use OCA\DAV\AppInfo\Application;
+use OCA\DAV\ConfigLexicon;
 use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IUserManager;
@@ -33,7 +34,7 @@ public function getCategory(): string {
 	}
 
 	public function run(): SetupResult {
-		if (!$this->appConfig->getValueBool(Application::APP_ID, 'system_addressbook_exposed', true)) {
+		if (!$this->appConfig->getValueBool(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED)) {
 			return SetupResult::success($this->l10n->t('The system address book is disabled'));
 		}
 
diff --git a/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php b/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
index bdd826f671b6f..90caeed666880 100644
--- a/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
+++ b/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
@@ -12,6 +12,7 @@
 use OCA\DAV\CardDAV\ContactsManager;
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -21,7 +22,8 @@ class ContactsManagerTest extends TestCase {
 	public function test(): void {
 		/** @var IManager&MockObject $cm */
 		$cm = $this->createMock(IManager::class);
-		$cm->expects($this->exactly(2))->method('registerAddressBook');
+		$cm->expects($this->exactly(1))->method('registerAddressBook');
+		/** @var IURLGenerator&MockObject $urlGenerator */
 		$urlGenerator = $this->createMock(IURLGenerator::class);
 		/** @var CardDavBackend&MockObject $backEnd */
 		$backEnd = $this->createMock(CardDavBackend::class);
@@ -29,9 +31,12 @@ public function test(): void {
 			['{DAV:}displayname' => 'Test address book', 'uri' => 'default'],
 		]);
 		$propertyMapper = $this->createMock(PropertyMapper::class);
+		/** @var IAppConfig&MockObject $appConfig */
+		$appConfig = $this->createMock(IAppConfig::class);
 
+		/** @var IL10N&MockObject $l */
 		$l = $this->createMock(IL10N::class);
-		$app = new ContactsManager($backEnd, $l, $propertyMapper);
+		$app = new ContactsManager($backEnd, $l, $propertyMapper, $appConfig);
 		$app->setupContactsProvider($cm, 'user01', $urlGenerator);
 	}
 }
diff --git a/apps/dav/tests/unit/SetupChecks/SystemAddressBookSizeTest.php b/apps/dav/tests/unit/SetupChecks/SystemAddressBookSizeTest.php
index 175d91a0c7d21..5d755457d182c 100644
--- a/apps/dav/tests/unit/SetupChecks/SystemAddressBookSizeTest.php
+++ b/apps/dav/tests/unit/SetupChecks/SystemAddressBookSizeTest.php
@@ -10,6 +10,7 @@
 namespace OCA\DAV\Tests\SetupChecks;
 
 use OCA\DAV\AppInfo\Application;
+use OCA\DAV\ConfigLexicon;
 use OCA\DAV\SetupChecks\SystemAddressBookSize;
 use OCP\IAppConfig;
 use OCP\IL10N;
@@ -30,7 +31,7 @@ protected function setUp(): void {
 
 	public function testSystemAddressBookDisabled() {
 		$this->appConfig->method('getValueBool')
-			->with(Application::APP_ID, 'system_addressbook_exposed', true)
+			->with(Application::APP_ID, ConfigLexicon::SYSTEM_ADDRESSBOOK_EXPOSED)
 			->willReturn(false);
 
 		$check = new SystemAddressBookSize($this->appConfig, $this->userManager, $this->l10n);
diff --git a/build/integration/features/contacts-menu.feature b/build/integration/features/contacts-menu.feature
index 772c0e5405cfb..a3a9e0f666740 100644
--- a/build/integration/features/contacts-menu.feature
+++ b/build/integration/features/contacts-menu.feature
@@ -192,3 +192,19 @@ Feature: contacts-menu
     And searching for contacts matching with "test"
     # Disabled because it regularly fails on drone:
     # Then the list of searched contacts has "0" contacts
+
+  Scenario: users cannot list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And invoking occ with "config:app:set dav system_addressbook_exposed --value false"
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "1" contacts
+    And invoking occ with "config:app:delete dav system_addressbook_exposed"
+
+  Scenario: users can list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "2" contacts
diff --git a/build/psalm-baseline.xml b/build/psalm-baseline.xml
index 7d0d0c4eabe0e..472eac7295da3 100644
--- a/build/psalm-baseline.xml
+++ b/build/psalm-baseline.xml
@@ -512,10 +512,6 @@
     </DeprecatedMethod>
   </file>
   <file src="apps/dav/lib/CardDAV/UserAddressBooks.php">
-    <DeprecatedMethod>
-      <code><![CDATA[getAppValue]]></code>
-      <code><![CDATA[getL10N]]></code>
-    </DeprecatedMethod>
     <InvalidArgument>
       <code><![CDATA[$this->principalUri]]></code>
       <code><![CDATA[$this->principalUri]]></code>