If you think in terms of a malicious user, you should work on the assumption that they can see and adjust any client code that exists in your web app.
If you know your way around you could, in theory, work out the incantation to trigger opening forms from the console. Or just rewrite the client code completely.
Indeed a couple years ago I wrote an app for fun. It was just a toy app. I let my students know that there were big security issues and if they tried they could probably hack it, almost laying down a challenge. I’d quickly put everything together and all validation was on the client and datatables were accessible from the client. One pupil decided to dive deep and having no prior experience with anvil (but an exceptionally good knowledge of python and JavaScript), a few days later showed me he was able to download the data! Of course if I’d been more diligent and written it with server validation checks and proper permissions set then he wouldn’t have been able to work around them by hacking the client code.
So to prevent malicious users you must validate permission on the server. Typically this means that anvil datatables are not viewable from client code. And any request for data is validated on the server, not the client.
The other point worth mentioning is that client sessions are totally separate. If user A interacts with your app from computer A this is a completely separate session from Malicious User B interacting with your app from computer B. So allowing user A to see their data will Not mean that user B can see user As data. They have no access to user As session.