How do you limit the queries allowed in the UI aka prevent someone from making a really slow / large query? Do you general not use supabase directly in the UI and write an API that your front end can call instead?
Note that the JS client is deliberately limited in the queries it can perform[1].
You can also be fully restrictive by only allowing the client to call the custom SQL functions[2] you define. In Supabase this is done by having all your tables in a "private" schema and only SQL functions in the "public" schema(whose db objects get exposed to the client).
you can call directly from the UI. just make sure that you have Row Level Security enabled and configure the default API parameters accordingly (eg, by default you can select a max of 1000 rows, you can adjust this if you want).
You can also be fully restrictive by only allowing the client to call the custom SQL functions[2] you define. In Supabase this is done by having all your tables in a "private" schema and only SQL functions in the "public" schema(whose db objects get exposed to the client).
[1]: https://postgrest.org/en/stable/api.html#custom-queries
[2]: https://supabase.com/docs/reference/javascript/rpc