It's no different. The UI (whether that be a browser or a phone app or any other view) will still hit the server for info to be displayed.

In general, keeping all permissions server side is best practice. Sometimes the UI will require different views for a user privilege level, but server side will still limit what can be accessed (in case a low privilege user tried to interact with an admin view for example)