[UPDATE] There is now an official and documented Auth Package which provides different solutions to secure a collection.

On a CRUD level :

[Server] collection.allow(options) and collection.deny(options). Restricts default write methods on this collection. Once either of these are called on a collection, all write methods on that collection are restricted regardless of the insecure package.

And there is also insecureto remove full write access from the client.

source : Getting Started with Auth (thanks to @dan-dascalescu)

[OLD ANSWER]

Apparently there are working on Auth Package(?) that should avoid any users taking full control on the db as it is now. There is also someone suggesting that there is an existing solution (workaround) by defining your own mutations (methods) and make them failed if they attempts to perform an unauthorized action. I didn’t get it much better but I think this will often be necessary since I doubt the Auth Package will let you implement the usual auth logic on a row level but probably only on the CRUD methods. Will have to see what the devs have to say.

[EDIT]
Found something that seems to confirm my thoughts :

Currently the client is given full write access to the collection. They can execute arbitrary Mongo update commands. Once we build authentication, you will be able to limit the client’s direct access to insert, update, and remove. We are also considering validators and other ORM-like functionality.

Sources of this answer :

Accessing to DB at client side as in server side with meteor

https://stackoverflow.com/questions/10100813/data-validation-and-security-in-meteor/10101516#10101516