Convenient way for Security with methods

In Meteor tutorial I saw that I have to do “Security with methods”. Do I have to do that when I have done PuSu (as I think you call it), per userId from the server? Is there a more convenient way of doing it as I have several Collections?

I have a hard time wrapping my head around this issue but is publishing projects as this by userId not safe?

Meteor.publish('projects', function(){
  return Projects.find({userId:this.userId});

Can anyone run this in the console on the server to remove all projects for all users?

Projects.find({}).forEach(function (doc) {
   Projects.remove({_id: doc._id});

If so, what’s the difference with this ?

Well yes, if they have the rights to do it. Remove the insecure package and it’s okay

For your remove to run on the client, you’d need an explicit allow rule for that to work. On the server, it would work out of the box.

The server is only I as a creator of the app that has access to, right?

Yes, I recommend you to read this too to know more about Meteor.methods