Hi Vincent,
The best way is to use a policy on Post endpoints.
In this policy, you can retrieve the authenticated user, his/her linked posts and the targeted post then check if user is authorized to do the action.
See doc => Policies - Backend customization - Strapi Developer Docs