I underestand that when a request includes Ocp-Apim-Trace: true like below:

GET /api/v1/BotConfig HTTP/1.1
Host: xyz.azure-api.net
Cache-Control: no-cache
Ocp-Apim-Trace: true
Ocp-Apim-Subscription-Key: ••••••••••••••••••••••••••••••••

The API Management adds ocp-apim-trace-location header:

ocp-apim-trace-location: https://womewhere.blob.core.windows.net/apiinspectorcontainer/Hin6_SGFT-some-parameters

This is obviously a security probelm and I am sure I am missing a point.

What is the mechanism to enable ocp-apim-trace-location for API Management developers, but make sure it is disabled for public service consumers?

Trace location (ocp-apim-trace-location in response header) is available only for admin accounts. For non-admin accounts or when there is no subscription key the traces aren't collected.