diff --git a/surfsense_web/zero/queries/folders.ts b/surfsense_web/zero/queries/folders.ts
index 50c246f60..0d0868889 100644
--- a/surfsense_web/zero/queries/folders.ts
+++ b/surfsense_web/zero/queries/folders.ts
@@ -1,9 +1,12 @@
 import { defineQuery } from "@rocicorp/zero";
 import { z } from "zod";
 import { zql } from "../schema/index";
+import { canReadSpace, constrainToAllowedSpaces, denySpace } from "./authz";
 
 export const folderQueries = {
-	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId } }) =>
-		zql.folders.where("searchSpaceId", searchSpaceId).orderBy("position", "asc")
-	),
+	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId }, ctx }) => {
+		const query = zql.folders.where("searchSpaceId", searchSpaceId);
+		if (!canReadSpace(ctx, searchSpaceId)) return denySpace(query).orderBy("position", "asc");
+		return constrainToAllowedSpaces(query, ctx).orderBy("position", "asc");
+	}),
 };
diff --git a/surfsense_web/zero/queries/inbox.ts b/surfsense_web/zero/queries/inbox.ts
index d85b7212f..8b02824fd 100644
--- a/surfsense_web/zero/queries/inbox.ts
+++ b/surfsense_web/zero/queries/inbox.ts
@@ -3,7 +3,10 @@ import { z } from "zod";
 import { zql } from "../schema/index";
 
 export const notificationQueries = {
-	byUser: defineQuery(z.object({ userId: z.string() }), ({ args: { userId } }) =>
-		zql.notifications.where("userId", userId).orderBy("createdAt", "desc")
-	),
+	byUser: defineQuery(z.object({ userId: z.string() }), ({ args: { userId }, ctx }) => {
+		if (!ctx?.userId || userId !== ctx.userId) {
+			return zql.notifications.where("userId", "__none__").orderBy("createdAt", "desc");
+		}
+		return zql.notifications.where("userId", ctx.userId).orderBy("createdAt", "desc");
+	}),
 };
diff --git a/surfsense_web/zero/queries/podcasts.ts b/surfsense_web/zero/queries/podcasts.ts
index 5298534dd..3dfefc9ab 100644
--- a/surfsense_web/zero/queries/podcasts.ts
+++ b/surfsense_web/zero/queries/podcasts.ts
@@ -1,12 +1,15 @@
 import { defineQuery } from "@rocicorp/zero";
 import { z } from "zod";
 import { zql } from "../schema/index";
+import { canReadSpace, constrainToAllowedSpaces, denySpace } from "./authz";
 
 export const podcastQueries = {
-	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId } }) =>
-		zql.podcasts.where("searchSpaceId", searchSpaceId).orderBy("createdAt", "desc")
-	),
-	byId: defineQuery(z.object({ podcastId: z.number() }), ({ args: { podcastId } }) =>
-		zql.podcasts.where("id", podcastId).one()
+	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId }, ctx }) => {
+		const query = zql.podcasts.where("searchSpaceId", searchSpaceId);
+		if (!canReadSpace(ctx, searchSpaceId)) return denySpace(query).orderBy("createdAt", "desc");
+		return constrainToAllowedSpaces(query, ctx).orderBy("createdAt", "desc");
+	}),
+	byId: defineQuery(z.object({ podcastId: z.number() }), ({ args: { podcastId }, ctx }) =>
+		constrainToAllowedSpaces(zql.podcasts.where("id", podcastId), ctx).one()
 	),
 };