Views inside PostgreSQL has access by the ROLE of the user
who created the view as you create view mostly from Supabase SQL editor, you basically use user with a ROLE 'postgres' who is bypass restrictions.
In the latest version of PostgreSQL =< 15, RLS policies may obey not to the ROLE, but to the RLS Policies that already setup on the root tables of this VIEW, while creating VIEW you need to define as an argument security_invoker.
create view <VIEW_NAME> with (security_invoker = true | false) as select <QUERY>;
I usually develop locally, and part that I notice, when we deploy newly created VIEW to the cloud, supabase usually gives a warning that for the created VIEW it couldn't find RLS policies, to fix this warning, and make sure that view always will obey the RLS policies, you have to create view with security_invoker = true.
Links: