I found that generally Spring annotations are recommended to be placed on implementation for example @Transactional, but where to place @PreAuthorized?
In official Spring Docs https://docs.spring.io/spring-security/site/docs/current/reference/html/authorization.html#el-pre-post-annotations they add these to the interface methods.
But I think you can add them also on the implementation.