I built the same security auditor twice this week — once for Supabase, once for PocketBase. Here's the pattern that ports across BaaS, and where it breaks. Two Mondays ago I scanned my own Supabase project and found 17 publicly readable tables I had no idea about. b2b_leads , internal growth metrics, engagement emails — all of it grant-readable to anon because that was the default behavior PostgREST shipped with for years. I shipped an open-source auditor for it. Then I ported the same approach to PocketBase. This post is about what survived the port and what didn't. The pattern that ports Every BaaS that exposes the database directly to the browser ships with the same shape of vulnerability: A default that exposes everything. Supabase's default for years was that any table in public is readable by the anon role unless you explicitly add RLS and policies. PocketBase's default for new collections is empty rules , which means fully public for that operation. Different mechanism, identical foot-gun.…