When do founders start thinking about user data security

You need to think about it from the start, generally every endpoint that returns user information should have authentication and authorization. You also need to check that every SQL query does not return data not owned by the user, which sometimes can be tricky and complex

It should always be from the start, though I've seen plenty of companies compromise on this to get an MVP out the door. The reality is, it needs to be done at some stage. Either a customer will demand it, you'll be forced to do it from a legal / compliance side (GDPR, CCPA, etc) or worse case, you will have a breach. So the earlier you can do it, the less pain it causes, and the less chance of a horrible, reputation destroying event occurs.

The earlier the better. If users trust you with their personal info - you should respect their privacy and take it seriously.

User privacy and data security should be through about from the beginning. It's much easier to build in security and privacy focused processes and tech at the start than it will be to retrofit later on. But as Steven alluded to in his earlier comment, the reality is that you might be able to only do what you can afford to do or have time to do. The risk in what you store should be a good guide to how much effort gets invested. In my experience the most likely reasons to "think" more about data security have been big customers, compliance requirements for the industry you build in, or a security finding from a penetration test or vulnerability disclosure.