How is access control handled? For instance, what if the data itself encodes access control, how do I prevent the data being sent over to the client-side inadvertently?
This is the problem Meteor had. They had this complex allow/deny configuration to see if the client has permission to run a query but it was impossible to get around all the edge cases. They started recommending not using it and instead call controllers that then would check server-side if the user has permission or not and return the data to sync to the client. Then every query client side is considered to have full read access to the data in it.