For example, if you have an RLS which does NOT allow you to se item with id X

and you try to get item with id X (i.e. a GET request), you would still get 404

on delete it just seems to be 204

even if it fails due to RLS

Thats a patch

GET would give 200 empty collection, POST would give 403 forbidden, PATCH would give 404 not found, DELETE would give 204 no content

It seems to be doing the right thing, i just dont understand the choice of codes. But perhaps the philosophy is that a PATCH and a DELETE could "tell" an unauthorized party that a post exists, by giving a forbidden error, or something

but I am a bit surprised by the GET

are you sure you are talking about a get on an id or are you talking about GET on all items in the collection?

I really don't see why a GET on an id where you don't have sufficient permissions would result in 200

if you say - give me all items from a table, and you have no rights on that collection, it makes sense to get 200 empty collection

but if you try to get a specific item with id X, then it makes sense to get 404 not found

you cant really "try to get a specific item" as i understand it - you always ask for all items matching the condition. The client just has an API which lets you unpack the response when you expect just one

Either way, our talk cleared up my main confusing. So thanks!

ok, sorry I couldn't really answer, glad this was at least somewheat helpful