Unfortunately, Wappler has a non-ideal permission system and your concerns are totally valid.
There’s really no easy way to make the security “forgot-proof”. I don’t know about RLS, JonL will probably comment soon
You can see my past concern here in this topic:
In my own projects I’m using Global steps to perform the check at each URL, but I wouldn’t consider it to be the “ideal” solution either (mistakes can still happen)