Well, for those who run into the same problem...
Deeper debugging found that the gem is configured for ignoring the authorization mechanism on init. In order to enable profiling only on some cases (e.g. non production or only for admin users) you need to override the default configuration in application.rb
(or preferably some specific config file):
Rack::MiniProfiler.config.authorization_mode = :whitelist if Rails.env.production?
otherwise the configuration is set to :allowall