@thetaghun the current logged in user ALWAYS has access to their row in the users table. Essentially there is no way to keep the currently logged in user from calling the anvil.users.get_user() and getting the table row.
Because of this:
Don’t use links in the users table, as the linked rows are also available to the client without a server side call. The real scary case is where you are linking to another row in the users table, think social network use case, as this can cascade and expose your entire table to a single authenticated user.
Don’t add any data to the users table that you don’t want the user to obtain. I add a UUID4 token in the users table which becomes their primary key in other tables that I don’t want them to have access to.
Because it is only the currently logged in user, leaking their hashed password is not really an issue. I would say that the real data leak in this case is obtaining information about how passwords are stored and the salt, hash method. But, this is readily available in the GitHub repo for Anvil anyways.
You can read more about the security in the users table here: Security of users table
Are you seeing other information leaked beyond what the currently logged in user should have?