While setting up user access to applications and objects stored in Salesforce, an administrator will grant access to applicable applications, tabs, and related objects via a Profile or Permission Set. By default, a user will log into the org through the standard Salesforce login page by entering their username and password. Salesforce provides standard user experiences for your users to access your objects, and, in doing so, fully tests that they honor security configurations. As such, they can be considered trusted experiences.
In fact, all standard Salesforce REST and SOAP APIs that are also used by the Lightning UIs honor the security configuration for a given user. This follows a best practice when building any type of API, which is to never trust the caller of the API.
Now, consider if you or another developer wanted to integrate...