If the portlets are NSQL based then you should be adding in the "security" clause which will restrict data to the same data a user can see in the application normally - it looks something like this;
WHERE @WHERE:SECURITY:PROJECT:I.id@
where the I.id is the reference to the inv_investments.id from elsewhere in your NSQL
if the level of control you want is more detailed than the normal application security rules, then just "code" it into the NSQL (i.e. specifically only return data for certain projects, or projects where the executing use is a team member - you can determine the executing user in NSQL using the built-in @WHERE:PARAM:USER_ID@)