Major Description
Today, if a scan is sent that contains a column that, per the sender's authz token, the sender isn't authorized to see, the entire scan is rejected. This is all well and good, but users may not be privy to what columns they are or aren't allowed to scan. So, when the default projection is used (which scans all columns), the scan is bound to be rejected if there are any privilege restrictions.
It'd be significantly more user-friendly if clients opaquely pruned the default projection of unauthorized columns so that (assuming the authz token is valid) default scans always succeed with just the columns the user is authorized to see.
Special care should be taken for if the user has no column privileges though; passing an empty projection is taken to return the count of rows (which requires the same privileges as COUNT
which requires the same privileges as SELECT, i.e. SELECT ON TABLE) rather than an empty set of rows. In such a case, clients should probably fail immediately, since there are no table privileges an no column privileges in the authz token so any scan would be bound to fail.