Hi,
> Could you please advise or give some hint on what is the correct (and
> secure) way to implement this?
>
> Currently I use the owner of the extension as owner when creating
> such a table inside the function, but maybe there are some pitfalls
> in this kind of solution?
If the goal is to protect the user from an _accidental_ access to the
tables, placing them into a separate schema _my_extension_private or
something will be enough.
Otherwise consider using corresponding access control abilities of
PostgreSQL and creating functions with SECURITY DEFINER [1]. Be
mindful that your functions will become a target for privilege
escalation, so you should be extra careful with the implementation.
[1]: https://www.postgresql.org/docs/current/sql-createfunction.html
--
Best regards,
Aleksander Alekseev