Salesforce security is a very complex topic
In my article Salesforce Security, What Every Developer Must Know, I introduce you to this complex topic, which involve three independent but related concepts: CRUD, FLS and Record Access.
Apex classes and triggers run in System Mode
By default Apex will have access to all data regardless of the CRUD, FLS or Record Access restrictions the user running your code may have (except for execute anonymous which runs in user mode).
To prevent accidental data leaks, Apex allows you to define the class as With Sharing which will enforce record access only. Note that CRUD and FLS restrictions are always ignored even when using With Sharing.
Visualforce pages and components run in User Mode
The Visualforce Security article mentions this, so it's possible (hopefully not) that you are not too concerned about the fact that Apex could expose sensitive data because even if you return an sObject or list of sObjects, Visualforce will watch your back!!!
Warning: Lightning components and applications run in System mode
If you have been relying on that fact that Visualforce is watching your back (hopefully not), be very careful with Lightning Components not to expose sensitive data because Lightning Components will not watch your back.
Ok, so how can you ensure the security will be protected if Apex runs in System mode? Good question, I'm glad you asked.
ETLC_SecureDB to the rescue.
I have just released an Apex library (ETLC_SecureDB) which will help you write secured Lightning Components/Applications by checking the user’s CRUD, FLS and Record Access security when writing SOQL queries and executing DML operations.
Download the repository here: https://github.com/eltoroit/ETLC_SecureDB