Question 1:

In Power Apps app:

• Regarding the data, it depends on the permissions you grant to the roles (Member, Guest, Colleagues with access" to what they can do.
• If you have a user that is a "Member" of the team and you assign the "Table permission" or "Full access" to the role "Members", then any "Member" will be able to "Read all records" and "Update or delete all records", even if in your Canvas App doesn't show all the records, such as you put a filter to only show records starting with the letter "A". They can get access to the data outside of your "Canvas App" in the "back end" so to speak. More below...
• By default, when a new table is created, "Members" are assigned the table permission of "Full access", which seems bonkers to me...
• So from my testing, a user that is a "Member" can
  • download the Power Apps app >
  • click the Build tab >
  • Select the environment >
  • find the table where, for example, in your canvas app you added the filter to the gallery only show the records with the letter "A" meaning a user of the app couldn't see any data that doesn't begin with "A" >
  • click Edit data >
  • and see all the data.
• They can create new records, edit those records and delete those records.
• They can also edit and delete a record not created by them.
• And of course, they can do all the same create, read, update and delete operations as above on the table data if they created their own Canvas App.
• And, I would imagine, but haven't tested, they can do the same if they create a Flow as well.
• So if you provide a different "table permission" to the "Member" role, such as "Collaborate" which allows them to "Read all records" and "Update or delete their own records" on that table, then they can do all of the above, but only interact with their own records.
• So the first thing is definitely to look at and assign correct access in "Manage permissions" on a table.

• They can also point Power BI to the Dataverse for Team environment and see all the records.

• They can go to flow.microsoft.com, see the environment, tables etc, but I can't find a way to get to the data, even with the "Full access" permissions assigned to "Members".

Question 2

• I'm not sure what permissions are needed, but I believe you can prevent people from downloading the Power Apps app.
• Here's a link that might be of use
• And another. Let us know if you find out anything more.

• Not that I've found for "Members".
• For me, this is one of the biggest drawbacks with Dataverse for Teams. As it allows members to go into the "back end" and mess with your tables, such as edit the display name. It even allowed me to delete the entire table! I'm really hoping someone reads this and then provides an answer on how to stop this, as it seems madness that any "Member" can edit/delete someone else's entire table.
• Instead, to stop this, what I did was
• create a canvas app in a different environment,
• then on the "table permissions" I used "Colleagues with access" and assigned it the permission of say, "Collaborate".
• I then selected a Microsoft Security Group for the Canvas App and shared it that way.
• As the users were not "Members" of the environment where I created the "Canvas App" they were not able to get into the back end tables/data and mess around.
• This Microsoft Doc explains more.
• Seems like a lot of hoops to jump through to prevent people messing with your tables. Again hopefully someone has a better solution.

Hope this helps you, or someone else stumbling across this article. Any further input from anyone would be greatly appreciated.