Retool - how it works and security

Are there any resources or community posts that explain how retool works and what code / queries are exposed to users? I'm trying to get a handle on what security consideration I should take into account when building an app.

For example can an app user modify a sql query to change the input parameters or raw query?
Can a user of a public app modify the javascript queries to change the behaviour and read and variables (I assume this is the case from reading about debugging retool in the browser)?

In essence I'm looking for a high level understanding of what runs backend or in the browser and

Any pointers much appreciated

I've found a bit more in the user permission docs in the Preventing query spoofing section