Hi. Alfresco implements Control access list (ACL) based permission.
This means that when you use the API to access a node it checks the permission of that node. For example if you try to get the info of user 1 (endpoint /people/user1) it will check if you have the correct permissions to read the user node.
If i, logged as a user2 try to manipulate the url to call /people/user1 the acl implementation will check my permissions by looking the authenticated user that is making the all (thats why most endpoints also need authentication to be called) and it will block my attempt to read or modify the info of user 2
this implementation is horizontal and every endpoint of the default api rest uses java services that implements ACL interceptors to check for permission and avoid unauthorized manipulation of data.
Of course manipulation of URL can be a problem if you have permissions to modify both user1 and user2 (you are logged as admin for example), but in that case you could call directly the api and modify the info without need to manipulate defaults calls.
By default alfresco is resilient against this, you only can modify what your logged user has permissions. As a developer you should develop in a similar way (default services in backend already implement acl). As an administrator you should ensure that each site has a set of permissions and that is clear who can modify what, with groups and permission for nodes
