> Any example more complex in the backend?

The home page has some examples of complex startups that use Instant as their core infra:

https://www.instantdb.com/#:~:text=Startups%20love%20Instant

> Are we supposed to expose all entities and relationships and rely on row level security?

Yes. This may feel foreign, but we think it's one the best ways to do permissions. We were originally inspired by Facebook's EntPrivacy. When you have permissions at the object layer, you can be more confident that _any_ query you write would be allowed.