Well, they can, unless you have a privacy rule that limits access to being logged in.
Let’s get specific here: Privacy rules apply at the data type level, right? If the data type is complex, you see options for various fields.
Let’s consider a practical example: Let’s say you collect date of birth and home address when you onboard a user. Should anyone but the system, you the administrator, and that specific user themselves be able to see that? Let’s say no. (We assume that these values are stored in fields on that user’s User object for purposes of the rest of this reply.)
So how do we keep anyone else from seeing that info, even if we do something dumb in our page design and on-page-load workflows? We do that by setting a privacy rule for the User data type.
Here’s our simple User data type:
The highlighted fields should only be visible to the user themselves.
Here are the privacy rules for that:
IF the Current User isn’t the User described by this object (that is, if Alice is viewing Bob’s User object):
Those fields that are unchecked under the View section will NEVER be downloaded to the browser and an on-page workflow (or API workflow that respects privacy rules) will never see a value for those fields. Such fields will always return null. (In Bubble terms, they are “empty”).
If the Current User is the User described by this object (that is, Bob is viewing Bob’s User object):
All fields will show whatever value is stored there. (Of course, such values may also be empty or null, but it won’t be because of privacy rules.)