chore/limit which user fields are exposed

Currently all reads of users return allergies, phonenumber, etc... This might not be that GDPR friendly so we should look into a way to limit what is fetched for different purposes. The simplest solution would be different levels of user info to fetch.