To restrict data, always start with limited access, such as user-level permissions. Then give additional access only when required.
For example, users can see only their own records based on ownership. Business units can limit access by department. Field-level security can hide sensitive fields like salary.
Important rule: permissions are cumulative, so if a user already has organization-level access, you cannot restrict specific records later.
