Every record is isolated by user and protected with CSRF + validation.