Contacts many_to_many relationship with Users - how to use?

I think that you would want to use the Teams functionality to restrict access and Team-Based Permissions. 

This won't work for us since we don't want the rigidity of teams. This will be similar to, say, Google Docs, where you can add or remove users on an individual level for each doc.

I may just create an additional many-to-many relationship to handle this.

The link name is user_sync (see modules/Contacts/vardefs.php), so 'Contacts/:id/link/user_sync' would return a contact's users. Coming from users, the link name is contacts_sync (see modules/Users/vardefs.php).
But the contacts_users relationship is used for contact syncing with the MS Outlook Plug-in.

As Jeff said, Teams and Team-Based Permissions should do what you want. Remember that for every user in Sugar, a corresponding private team is automatically created. So you can add or remove access for individual users by adding/removing their private teams.

Wow thanks for this...I did not remember that because I didn't know until now...thanks so much!! Looking into the now. Does this apply for other modules as well (for instance, can a private team be used to restrict access to Notes)? I'll dig in myself but you may know more readily. 

Absolutely. This applies to any module with Team Security enabled (including custom modules), and that's pretty much all ootb modules.

Last question here:  if I am an admin-level user with API access, I can still access resources even if I'm not on an assigned team. For example, if there's a Note and the only associated team is Team Claus, I still see that note when I GET /Notes.

Is there an easy way for me to make an API request that only fetches resources to which I have access (i.e. Global, or any team which is also associated with that resource) other than using filter params? I haven't found anything yet so I thought I'd ask here, plus filter params would not provide the security we would like (I would have to add logic hooks to make sure we don't return resources to which a given user does not have access).

Admins can access all modules and all records in Sugar and are not subject to team or role restrictions, see here.

Doesn't your custom frontend authenticate / access the APIs in the context of a specific user (like the Sugar UI does)?

If you have specific reasons to use a single admin user (maybe because you authenticate against another system and don't want to set up Single Sign-on with Sugar) then this should help:

https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_11.0/Integration/Web_Services/REST_API/Endpoints/oauth2sudouser_name_POST/index.html

Get an access token as another user. The current user must be an admin in order to access this endpoint. This method is useful for integrations in order to be able to access the system with the same permission restrictions as a specified user. The calling user does not lose their existing token, this one is granted in addition.

You just saved me so much work! I owe you a coffee / tea / beer if we ever meet. Thanks for this! I was testing locally but my users were admin-level users. Once I modified the user to Regular User it worked as you describe.

My pleasure. Beer it is