Securing User-Pet Associations in Strapi via REST API

I have a specific category, for example, “pets”, and I want to link it with users through categories. A user can have multiple pets. I want users to only see the pets that belong to them. This can be achieved by filtering on users and pets linked to them. However, since the REST API happens in the browser, users can manipulate it, for example, by performing a findall operation (part of filtering) or removing the user ID. The JWT would not give an error, but now the user can see all pets, which is not the intended behavior. Can someone please help me figure out how to solve this? Thanks in advance.