>>galnag+(OP)
Supabase seriously needs to work on its messaging around RLS. I have seen _so_ many apps get hacked because the devs didn't add a proper RLS policy and end up exposing all of their data.
(As an aside, accessing the DB through the frontend has always been weird to me. You almost certainly have a backend anyway, use it to fetch the data!)