Without any server-side logic, I suppose user permissions must have been handled entirely by the database, with clients connecting as different database users?

Did row-level security already exist in some databases at that time? Otherwise this must have been quite limiting.