Is this in the frontend or the admin panel? (I assume frontend)
If it is the frontend, then writing a policy would be best: Backend customization - Strapi Developer Documentation
Basically you prefilter results on the logged-in user’s id (assuming orders have a relation to the user) you can extract user information from ctx.state.user and modify the ctx.query to inject additional filters. (or return errors)