Any logged-in user can read every user’s rows
The UI filters by user. The database doesn’t. One crafted request and user B is reading user A’s data.
- -- table has RLS disabled + create policy "own rows only" + on documents for select + using (auth.uid() = user_id);
✓ user B receives zero rows owned by user A
Read the teardown →