We have data that should only be visible to the user that owns the data. Call them notes. Many users where each has access to many notes. Users own their own notes and do not share them with other users.
I see this could be accomplished using queries. The user would query notes using their user ID. The query handler would only respond with user’s own data and the access request would check the query user ID to confirm it equals their token user ID.
The other option I see would be for the user request each note by ID (possibly using nested resources to make this more convenient). This allows the access call to check the user’s access to each note individually.
Is there currently a recommended method for having user-specific data? Is there another method I didn’t mention here? I’m leaning towards queries as they seem simpler, though this will add a little overhead for events.