Note that the JS client is deliberately limited in the queries it can perform[1].
You can also be fully restrictive by only allowing the client to call the custom SQL functions[2] you define. In Supabase this is done by having all your tables in a "private" schema and only SQL functions in the "public" schema(whose db objects get exposed to the client).