Ian Barwick <barwick@gmx.de> writes:
> i.e. user "joe" can see which objects exist in schema "foo2", even though
> he has no USAGE privilege. (Is this behaviour intended?)
It's open for debate I suppose. Historically we have not worried about
preventing people from looking into the system tables, except for cases
such as pg_statistic where this might expose actual user data.
AFAICS we could only prevent this by making selective views on the
system tables and then prohibiting ordinary users from accessing the
underlying tables directly. I'm not in a big hurry to do that myself,
if only for backward-compatibility reasons.
We still do have the option of separate databases, and I'd be inclined
to tell people to use those if they want airtight separation between
users.
regards, tom lane