I think there needs to be a big disclaimer on the User Management page that explains that any data retrievable by the anvil.users.get_user() method is ALWAYS readable on the client side. Essentially, any authenticated user can access all data in and linked from their user row.
This is regardless of the permissions set for the Users table.
Perhaps a starting point:
Security
The built in method anvil.users.get_user() makes an authenticated server side call to the users table and returns their row to the client. Because of this, any data stored in, or linked from, the users table should always be considered accessible by the authenticated user.
Anything that is accessible from anvil.server.get_user() is always accessible on the client side regardless of the table’s Client code access permission.
When adding columns or linking to other tables from the users table, consider what you are exposing to a bad actor.
Example:
You are building a messaging app that allows user’s to select friends and also block other users. You setup two additional columns in your users table for blocked and friends that allow multiple linked rows to the users table.
Our bad actor starts looking at their row and notices the blocked and friends fields. Perhaps they can add a user Jeff to their blocked list and now have access to this examples entire users table by traversing the linked rows.
Here is the example of data leaking client side:
User Table Data Leakage