[cdaringe]

Thanks for the input. I'll make some previously unstated assumptions, which I should have sent in the first post:

1. the db file is not publicly accessible. it is accessible only to some private application 2. user data is inside the database 3. the application passes some configuration in before the query runs (a la https://www.graphile.org/postgraphile/security/#how-it-works) 4. that configuration identifies the user through some downstream `check constraint` implementation, which currently doesn't exist :)

These assumptions are consistent with your second paragraph, which is my goal.