Best method is either the policies system or the route middleware’s system depend on how you want to handle it.
Using policies if someone tries to delete or whatever something owned by someone else you can simply reject the request and return an error.
Using the route middlewares you could modify the request to make it valid (injecting filters, changing filters, ect). Or return an error depending on the case.
The users-permissions on it’s own isn’t advanced enough yet to pay attention to ownership or field level permissions and it’s those features we want to build natively eventually but for now that type of complex logic needs to be built by you (admittedly it’s not that complex to build per user’s project but it’s difficult for us to build generic enough for everyone’s use-case)