On an out of box 7.x installation, if a system user is granted the employee role, then they can see a lot of things actually that they probably shouldn’t. These are my notes as to how to restrict so an employee can only see his/her own record.
All these changes happen in role permission manager.
**DocType** **Change**
Appraisal Add Apply User Permission + If Employee
Employee Add Apply User Permission + If Employee
Leave Application Add Apply User Permission + If Employee + If Leave Application
Salary Slip Add Apply User Permission + If Employee
Student Application Remove Guest Role
Timesheet Add Apply User Permission + If Employee
Hope this helps. I had to do some test scenarios in my test instance to figure this out. This is an area of the platform that is not well documented.