diff --git a/packages/runtime/src/enhancements/node/policy/handler.ts b/packages/runtime/src/enhancements/node/policy/handler.ts
index 44a7ad66..6af9a1ca 100644
--- a/packages/runtime/src/enhancements/node/policy/handler.ts
+++ b/packages/runtime/src/enhancements/node/policy/handler.ts
@@ -140,6 +140,14 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
             return handleRejection();
         }
 
+        if (isList && !this.policyUtils.injectForList(this.prisma, this.model, _args)) {
+            if (this.shouldLogQuery) {
+                this.logger.info(`[policy] \`${actionName}\` ${this.model}: unconditionally denied`);
+            }
+
+            return handleRejection();
+        }
+
         this.policyUtils.injectReadCheckSelect(this.model, _args);
 
         if (this.shouldLogQuery) {
diff --git a/packages/runtime/src/enhancements/node/policy/policy-utils.ts b/packages/runtime/src/enhancements/node/policy/policy-utils.ts
index 04d22c89..ce405add 100644
--- a/packages/runtime/src/enhancements/node/policy/policy-utils.ts
+++ b/packages/runtime/src/enhancements/node/policy/policy-utils.ts
@@ -652,6 +652,14 @@ export class PolicyUtil extends QueryUtils {
         return true;
     }
 
+    /**
+     * Injects auth guard for read operations.
+     */
+    injectForList(_db: CrudContract, _model: string, _args: any) {
+        // make select and include visible to the injection
+        return true;
+    }
+
     //#endregion
 
     //#region Checker