Isn’t server code always “trusted”?
The code in question is running in a package in the packages dir of my meteor app in Meteor 126.96.36.199.
This was working before I upgraded to Meteor 1.3
W20160518-00:20:59.810(-4)? (STDERR) Error: Not permitted. Untrusted code may only remove documents by ID. 
W20160518-00:20:59.810(-4)? (STDERR) at throwIfSelectorIsNotId (packages/allow-deny/allow-deny.js:483:11)
W20160518-00:20:59.811(-4)? (STDERR) at [object Object]._callMutatorMethod (packages/allow-deny/allow-deny.js:409:5)
W20160518-00:20:59.811(-4)? (STDERR) at [object Object].remove (packages/mongo/collection.js:594:17)