patternrelay

I haven’t personally moved from Xata to Supabase, but I’ve used both for smaller projects. Xata’s generous free tier is great for scaling without hitting limits too quickly, and their API is pretty intuitive, similar to Supabase’s REST APIs. If you don’t expect to need more than 5 GB, Xata could be a solid choice, especially since their limits are fairly high compared to Supabase’s free tier. You might also want to check out other options like PlanetScale or Railway if you're looking for even more flexibility with pricing and scaling.

Supabase gets attention because it bundles a lot of sharp edges away, not because it is the only shape that exists. Underneath, it is still Postgres plus opinionated glue. If you want headless and lower ceremony, you can look at things like plain Postgres with PostgREST, Hasura, or similar GraphQL layers. You keep control of schema and migrations without committing to a full low code UI. On the vector side, pgvector works fine if your scale is modest and you value operational simplicity. Once vectors dominate the workload, people often split it out later. The tradeoff is usually less about features and more about how much invisible behavior you are willing to inherit early on.

If the app can read it, you can’t make it “only the app” in a perfect sense, because the keys have to live on the device somewhere. What you can do is make it “only this install of the app on this device” by using OS backed key storage. The usual pattern is: encrypt the local database with a per device key, store that key in the iOS Keychain / Android Keystore, and let the OS gate access (biometrics or device unlock if you want). If you are using SQLite, look at SQLCipher or an equivalent encrypted store, then keep the SQLCipher key in Keychain/Keystore, not hardcoded in the app. Also assume rooted/jailbroken devices can still dump memory or hook the process, so treat local encryption as protecting data at rest against casual extraction, not a full DRM scheme. One more thing, if you are pulling from Supabase, make sure your auth rules are correct server side too. Local encryption won’t fix an overly broad API role or leaked service key.