RLS (row level security) came out in 9.5, January 2016. It's a game changer when used in combination with JWT tokens for identity and something like PostgREST. Specifically because a client can talk directly to PostgREST and run queries directly against the DB while letting the RLS policies dictate access. Example, a mobile client is allowed to insert data on the auth'd user's behalf, but the same user can only access rows that are associated with their own identity. Supabase rolls this up into an out of the box solution, which basically eliminates a lot of work writing "middleware APIs".
Its a good feature but I spent many days debugging problems caused with it.
It might have been the fault of supabase.js apis , but still not a lot of fun memories.
It's like a lot of things... process orientation and discipline early on go a long way to keeping things sane. There are nice techniques for debugging policies as well (login_as_user functions, etc). We write pgTap tests for everything, and that REALLY helps.
