I’m not totally sure on that answer. I just go under the assumption that any data that is not behind row owners or a secure private login is susceptible to being snooped by a savvy user regardless if they can access that part of the app or not. I’m not sure at what level the database is cached on the user’s device, but I would assume that most, if not all, data is synced and downloaded to the device to provide speed and ease of use to the end user. Row owners prevent that download from happening for users that are not meant to see that data. Like you said security through obscurity is not security at all.
Case in point is the recent post where a fellow app builder was notified by an anonymous user that all user data was accessible through various techniques, even though it was not technically visible in the app ui.