Securing access to database functions only
I am considering only having database functions in the public schema to ensure that the frontend application we are building receives very specific data already formatted as JSON. My hope is to prevent any direct table access through the API which reduces the number of decisions my frontend team needs to make. This should also prevent n+1 queries and any other performance issues that may happen when calling the API using JS. My question is, if I provide access using RLS to the underlying tables in a different schema to my users with the idea that they will only access the data using the database functions, is it possible for those users to access the direct tables in the non-public tables through the API?
