ConfiForms plugin uses and follows Confluence permissions model.

You can restrict ConfiForms controls (such as fields and edit controls) to certain user groups and users, usually a comma separated list is expected (could be mixed of groups and users)

In ConfiForms:

• each form has an administrator(s) - a user(s) who can do all the operations with stored data 
• form administrator is the one who has EDIT permissions on the page where form is configured or ConfiForms Form macro has explicitly set this person (or a group) as form administrator
• each stored entry has an owner (or owners), a user who has created this entry (by default, but could be overwritten). Each record in ConfiForms has an ownedBy user multi-select field (part of metadata fields Documentation). Which can be used to give/share an ownership to the record between individuals (form administrators will have this ability in any way, no matter who is the owner of the record)
• an owner could change entry data (unless edit functionality is disabled, but only in the fields which are not restricted to this user)
• anonymous users can create records but cannot modify any record (this is because the record has to be owned by the user and records created by anonymous users owned by "no-one"). Such records could be edited/deleted by form administrators
• an administrator could change any entry (including "delete"), he has also permissions to export stored data in XML, CSV, JSON and EXCEL formats
• entry owner is a mutable field and could be changed by a form administrator (or record owner). This means that the original creator of the entry will loose his edit rights to the entry if the owner is altered (ownedBy field)
• stored data is visible to a user if he has access to the page where form is configured (page VIEW permission)

Important:

• When you use "file" fields in ConfiForms to upload files - the files are stored as attachments on the same page where the form is configured. Attachments in Confluence are accessible for all users who have VIEW rights on this page. (please also note that in order for this field type to work you must enable add/delete attachments permission)

Restricting forms

• Anyone with edit permissions on the page with ConfiForms Form macro is an administrator of this form. Users with "view" only permissions on the page with ConfiForms Form are normal users of the form (except in the cases when a user has system administrator for Confluence)
• You can restrict page edit permissions, but still have your users as form administrators. This is controlled through ConfiForms Form macro parameters
  
  
  • You can set additional form administrators
  • You can specify super users
  • You can also enable access to form data even if user does not have permissions to access the page with ConfiForms Form
    
• By default, using REST API is not enabled for form non-admin users. This is controlled by enabling export via ConfiForms Form macro parameter
  
  
  

It is important to understand that Confluence requires a user to have EDIT permissions on the page to allow uploading attachments. For ConfiForms this means that you need to open the page to anyone if you want to accept file uploads in your form, which is really not good and does not feel safe. As users will become form administrators as well. Which is rarely wanted

ConfiForms has introduced a way to bypass this requirement and this could be controlled via the following parameter in ConfiForms Form Definition macro

Related:

Why do I see an extra button with + sign on my form and ownedBy field