Can Lovable apps leak user data?

Yes, without proper Row Level Security policies, any authenticated user can potentially access all data in your Supabase database. This means user profiles, emails, payment information, and any other stored data could be exposed through simple API calls. The risk increases when the anon or service_role key is exposed in client-side code, as it enables unauthenticated access to unprotected tables. Data leaks from misconfigured Lovable apps have been publicly documented by security researchers. UNPWNED tests for data exposure risks by checking RLS policies, key exposure, and API endpoint security.