Don't just hide Buttons when only some privileged users should be able to execute processes in Oracle APEX. With some JS you can still trigger them. Additionally use the read-only functionality where possible.
If you use sequences to generate primary key values make sure you use the checksum feature of APEX. Otherwise, users can easily discover data they should not be able to see by raising or lowering the numeric ID in the URL.