So I was doing some tests on permissions and I noticed a bug.
I created a user and gave no permission on that user. And I tested if I could see it’s permission.
I called the API on browser
api/resource/Delivery Note Item?fields="*"
and it returned all the data. I tried with all child tables and it returns all the data. This is risky because users can see the data, even if you have not given them permission.