from your backend codebase you can determine the object of data you want to return to the client...
for example.. twitter uses graphql and if you want to request for a particular object/data of a user.. it will never return user's password because it has been removed from the column you can play with..
moreover, when you are authenticating a user, it better to use client token verification such as jwt(Json Web Token)
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.