Supabase's row level security is just postgres row level security, it's not proprietary to Supabase. Postgres documentation, blog posts etc on RLS will apply to Supabase too.
I get this, and I've been using postgres for a long time, so I should get this. My point is that the barrier for entry is very high. Most folks that have experience with GraphQL and not intimate knowledge of Postgres security/access are going to struggle with this. It's much different than say, Postgraphile or Asura - both of which have a much lower barrier for entry. Folks are naturally going to compare. I've been following their GraphQL extension since its development announcement and I think this will end up being the better GraphQL product in the long term. I want Supabase to be a world-class product because I'm a fan, and that means world-class documentation.
You're definitely not wrong. I think Supabase will get there ultimately. But being a startup and presumably a small team, I think it's ok for them to lean on "Supabase is basically postgres as a service so postgres docs can fill the void for now".
And just for the record I'm not affiliated with Supabase, I just use it on a side project and quite like it.