Review all Drizzle queries and API responses. Flag any SELECT * queries, responses that return more fields than the client needs, endpoints that expose other users' data, missing pagination limits, and any PII (email, phone, address) returned without necessity.