supabase client exposes schema details via hint and messages

[bombillazo]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

In our app, we manage everything with the service role from the backend. We've updated our database role privileges and grants so that the anon and authenticated roles cannot access the public and storage schemas since Supabase hardcodes these schemas as enabled in the client.

We use the client in our frontend app for authentication purposes using the anon_key. However, we noticed that even with the privileges revoked, even non-authenticated users could snoop using the different superbase client functions like select and rpc.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Use the supabase client
2. Revoke access, privileges and grants from anon/authenticated DB roles
3. Use any of the supabase client functions that query a table or call an RPC
4. See response messages and hints

Expected behavior

We don't want any details leakage in our API, and the Supabase client unfortunately acts as a vector to snoop around with the anon key for API details.

Screenshots

System information

• Version of supabase-js: 2.42.0