> I think what's happening is people are creating additional public users tables and not setting proper RLS for them

Yep: https://supabase.com/docs/guides/auth/managing-user-data

> For security, the Auth schema is not exposed in the auto-generated API. If you want to access users data via the API, you can create your own user tables in the public schema.