That's not true; you can use row level security (RLS) to control access (both reading and writing) on a per-row basis. You can think of it as similar to an implicit "where" clause that automatically gets added to all requests.

RLS: https://www.postgresql.org/docs/current/ddl-rowsecurity.html