Security S-01
Filter by User ID.
Always.
Always.
No filter
SELECT * FROM notes
User B's data visible to User A
Scoped to session
WHERE user_id = $session
Only your rows return
LaunchYourVibe S-01
Every user-specific fetch must filter by the authenticated user's ID. Test it by logging in as User A and manually requesting User B's data. If you can see it, you have a problem. This isn't a platform feature you toggle on — it's a check you write and verify.