Making sure a user in APEX cannot see data he should not can be done in the code. It is probably the worst way to do it. It is error prone and an attacker will not use that filter if they gain access to you as an application user.
Security needs to be setup outside of any application. One good way to do it is using VPD in an Oracle database. This session explains and shows how it can be done and provides all the steps to configure it for an APEX-application using APEX specific things for the segmentation of data.
The end result is to make it in a way, that a user can only see the data he has access to, even if a "select *" is issued against the table(s).
Seeing how easy it is to implement and understanding why there is no code or application impact necessary will make you ready to put this tool into your toolbox and use in your next project.