Client, provider, admin: on one database, isolation must not rely on application code. Row-Level Security makes it structural.
A marketplace or a multi-role product shares one database across actors with different rights. If isolation lives in application queries, a single missed one is enough to leak.
Put the rule in the database
Row-Level Security enforces the access policy at the row level, inside PostgreSQL. Same query, but each role only sees its own data. Security no longer depends on developer discipline.
You write policies per table and per operation: read, write, delete. Role and identity are carried by the token and checked at the database.
The traps
Badly designed RLS fails silently or opens too much. You must test each policy with each role, and beware of service access that bypasses the rules. The service key must never reach the front end.
Done right, this model survives application rewrites: the guarantee is in the database, not the layer above.