We built a permission system on top of Google's CEL [1]. Every object returned in a query is filtered by a 'view' rule. Similarly, every modification of an object goes through a 'create/update/delete' rule.

You can learn more about the rules language in the permission docs: https://www.instantdb.com/docs/permissions

[1] https://github.com/google/cel-java