I have a table called reviews where I want only certain columns to be publicly accessible. I wrote this command

GRANT SELECT (id, for_institution, rating, pros, cons, published, upvotes, downvotes, banned) on reviews to public;

and ran it in the SQL editor. It still seems to return all the columns when I tested with the client. I also have RLS turned on for that table and a policy allowing all users to SELECT

You likely need to figure out other "default" grants there are on the entire table. Probably need to revoke select on the table. But without looking into it, not sure what SB grants to tables by default and to which users.