Most multi-user apps were two tiered: client and database. The way they worked was by connecting directly to the database and/or a shared filesystem in the local network. All validation happened client-side.

Database credentials and fine-grained file/directory permissions were the only security measures. That and the NAT. ;)

There's still software in the market that uses this model, like some niche ERPs from the 90s and software catered to small/mid businesses.