Too Long; Didn't Read
You should always set the permissions of your database collections to be as restrictive as possible. Each permission should only be granted to the Admin role unless there is a specific reason to grant the permission to additional roles. Sometimes, you may need to grant access to collection data only in a specific situation or only to a specific user. Changing permissions of the collections will not work in such cases because doing so exposes the data to all users of with the permitted role all the time. When you need a user with a different role to access the collection, you can perform that operation in Backend code.