Very interesting, I really think that http APIs are just a user management layer that could be easily abstracted away now that we can do so many things client-side.

How do you handle permissions ? or how do you pervent a clients to erase the database ?

We use Postgres Row Level Security to implement the authorization. You can create your own policies from the dashboard too. You can read more about it here: https://supabase.io/blog/2020/08/05/supabase-auth