You can use policies or the controller to say that they only get THEIR data depending on ctx.state.user I believe. Atelast there is a user object, so if they are authenticating with a JWT Strapi knows which user and you can look that up instead of give back everything.
You can also use populate to give back X data if it’s nested or relationships