Questions on Privacy Rules

Assuming that no privacy rules are in place and the Bubble Data API is turned off, I am trying to figure out how an end user might access data they shouldn’t be accessing.

Let’s say I have an ORDERS thing and I create a simple page that show orders just for a specific user with a repeating group. How can a user view orders that aren’t their own?

The way Bubble talks about privacy rules, they make it seem as if this is possible so I’d like to understand how to make that happen. (This way can include these kinds of tests as a standard part of our development process.)