If you don't want to change the policy you can use a function to return true/false and use "security definer" in the definition. Then it will skip the policy to do the test and user will not have direct access. But if you only allow read by user id policy, not much useful info they could see anyway.

That was very helpful for me, thanks! Could you please show the example of that "security definer"?

Thank you