Testing Bubble API with Postman, it's working without any authentication?

Hi everyone, sorry if this is a dumb question but I’m just learning and messing with APIs and had a question. In my Bubble app under API I have both workflows and data API enabled and have a few data types selected, and also have an API key. It then shows the data API root url to use. When I use Postman though and do a GET using that root URL which ends in /obj/ and then add the name of the data type after and hit send, it pulls the first 100 records immediately and never asks for the API key or anything.

When doing a workflow API I see that under the endpoint I can set it to not require authentication, and when doing a POST from Postman I can trigger the workflow easily. Just confused about the data one and why it lets anyone retrieve all data from Bubble just by knowing the data API root url.

Just wanted to edit that I understand I need to use roles but I’m a bit confused still how that works in terms of Postman. If I create a privacy role on the data type I see that “Everyone else” controls what data is visible, but I’m not clear on how I set a rule. I made one and the only real option is “Current user” but not sure what I’d pick there. I tried “is logged in” but that didn’t seem to work and not sure how the user would be logged in when using Postman. Sorry if a dumb question just messing with this to see how it all works.