The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/11/sql-createpolicy.html Description:
It's not clear enough from reading the documentation on RLS security policy that schema designers need to pay special attention to views and their ownership. (Views will bypass RLS security in the common case that they are owned by a super user.) I have seen this misunderstanding lead to unexpected data exposure. This *is* clarified at the very bottom of the Notes section on the `create policy` document, but I believe it justifies having a clear and prominent call out. Thank you!