Access control: is it a problem to uncheck 'Bypass content access control' permission for my oAuth consumer?

[championlife]

Package

Not package-specific

Ask the question

I'm needing to restrict access to certain nodes and custom entities based on some logic I'm hoping to do Drupal-side. This isn't my specific use case, but such as you could see published articles you wrote, but not published ones you didn't write.
I'd like to block access for this in Drupal - I think I have to use grants and records (hook_node_grants etc).

In nextjs I am using the password grant and NextAuth code borrowed from example-umami.
In Drupal I set up a consumer and all that entails, with a role of "next_user".

The sequence goes like this:.

• I login to nextjs site with a test user I have setup in Drupal. The test user has a role of "Member".
• I make a request to fetch resources wth jsonapi in nextjs (await drupal.getResourceCollection... etc)
• When I examine the user trying to gain node access in Drupal, the logged in \Drupal\Core\Session\AccountInterface $account ID matches my test user but the ROLES it has are "authenticated" and "next_user".
• Because "next_user" has bypass permissions, they get everything in the jsonapi call and my access code is ignored.

So two questions:

1. Can I uncheck the "bypass..." permission if my decoupled users don't need to see previews/unpublished content?
2. Am I doing something wrong with my setup if when I log in through Nextjs, in Drupal the logged in user has the same ID but the "next_user" role? Would it be bad in a hook to grab that ID and do a User::load($account->id()) to get the actual information for that user?