payload.find() hits the database directly, in the same process — no HTTP, no fetch. By default it also bypasses access control, on the assumption that server-side code trusts itself.

That assumption is exactly where holes appear. In server functions and endpoints that run on behalf of a user, you have to consciously turn enforcement on:

// DANGEROUS — full access, ignores access control
const docs = await payload.find({ collection: 'posts' })

// SAFE — respects access control for the given user
const docs = await payload.find({
 collection: 'posts',
 overrideAccess: false,
 user,
})

The trap is the default: overrideAccess is true unless you say otherwise. Any Local API call that returns data to an end user should pass overrideAccess: false and the user.