Fix: Implement field-level privacy for profiles

src/pages/Profile.tsx

@@ -234,16 +234,34 @@ export default function Profile() {
   };
   const fetchProfile = async (profileUsername: string) => {
     try {
+      // Use filtered_profiles view for privacy-respecting queries
+      // This view enforces field-level privacy based on user settings
       const { data, error } = await supabase
-        .from('profiles')
-        .select(`*, location:locations(*)`)
+        .from('filtered_profiles')
+        .select(`*`)
         .eq('username', profileUsername)
         .maybeSingle();
 
       if (error) throw error;
 
       if (data) {
-        setProfile(data as ProfileType);
+        // Fetch location separately if location_id is visible
+        let locationData = null;
+        if (data.location_id) {
+          const { data: location } = await supabase
+            .from('locations')
+            .select('*')
+            .eq('id', data.location_id)
+            .single();
+          locationData = location;
+        }
+
+        const profileWithLocation = {
+          ...data,
+          location: locationData
+        };
+
+        setProfile(profileWithLocation as ProfileType);
         setEditForm({
           username: data.username || '',
           display_name: data.display_name || '',