In this case, only the user itself should have access to its own User object.
Currently the ACL is set in the Cloud Code afterSave trigger, right after the user is created:
Parse.Cloud.afterSave("_User", async (request) => {
const user = request.object;
if (!user.existed()) {
user.setACL(new Parse.ACL(user));
await user.save();
}
});
Is it possible to do that in beforeSave trigger (to save a DB write)?
I took a look at the Parse Server code and it should be possible. I was afraid that the default ACL could override what you've set in the beforeSave trigger but that's not the case. As you can see here it maintains what is set beforehand and you can actually send this setting even from the client.
Setting an empty ACL in beforeSave will ensure that only the user is granted access, because a user is granted access to their own _User object by default:
request.object.setACL(new Parse.ACL());