Public app query - is this sql query secure?


In a public retool app I'm using the query below. The aim is that this query can only ever return the row where portal_id = 'b235ada7-fb23-44ef-9bc4-88e38acd7b8d', where portal_id is pulled from the url params. Question is, could a user insert a wildcard instead of the portal_id UUID to also return other results, or otherwise maniplulate the app / query to return clients for whom they don't know the portal_id UUID?

SELECT * from client WHERE portal_id = 'b235ada7-fb23-44ef-9bc4-88e38acd7b8d'