I think the only way to make it not accessible by the client is to mark it as not server readable… But that is not particularly helpful.
I’ve done more looking at this here
It comes down to Anvil having a server callable function as part of the User Management feature. Since this is an authenticated call it has access and it returns the user row back to the client. We can’t do anything to stop clients from making that call if they are logged in.