i generally feel weird about making the db query statements (even ORM) in the client side code. plus it would add more JS & complexity to client-side code. made a backend, that still verifies the user tokens. plus the backend is directly connected to the DB, since I'm more comfortable with raw queries than orm. (also because i couldn't figure out json_build_object & dynamic queries in the supabase ORM)