One dev of a Lovable competitor pointed me to the rules thats supposed to ensure queries are limited to that user's data. This seems like "pretty please?" to my amateur eyes.

https://github.com/dyad-sh/dyad/blob/de2cc2b48f2c8bfa401608c...