Your application/developers have access to all user profile data and metadata. Some profile attributes are read only (
user_id). If you want to limit access to profile data, I’m sure there is a way to do it (maybe with an API?) but that is a bit beyond my expertise.
user_metadata is intended for attributes that the user (application end-user) should be able to change (e.g., mailing address), while
app_metadata is for attributes the user should not be able to change (e.g., assigned groups / roles, an application specific identifier ).