In Postgres, tables can have Row Level Security◹ that restrict the user’s action on each row.
With Supabase, we can create a policy that matched the current logged in user, this user is from the application level, not the database user:
create policy "Users can update their own profiles." on profiles for update using ( auth.uid() = id );
auth.uid() here is just a Postgres function provided by Supabase to extract the application’s current user. See its implementation here: supabase/auth-schema.sql#Line 77-78◹.