[imbusy111]

It seems to me that it's the main limitation of this solution - authorization is limited to table scope so if you can update any row, you can update all rows for all users. Same for data querying.

If you completely trust your users, that's fine.

[BenjieGillam]

That's not true; you can use row level security (RLS) to control access (both reading and writing) on a per-row basis. You can think of it as similar to an implicit "where" clause that automatically gets added to all requests.

RLS: https://www.postgresql.org/docs/current/ddl-rowsecurity.html

[lisperforlife]

We built an entire system using RLS and functions. Postgraphile is frankly amazing. You can also extend the schema using Typescript or SQL.