How to restrict user not to see other user data in DRF ModelViewSet?

Question

I've created a todo list API, which have user profiles. Each User profile can have Todo List. Now everything is working fine, but the issue here is one user can able to see other users data, but I want to restrict one user no to see other users todo list while am requesting a URL.

models.py

class TodoListItem(models.Model):
    """Todo List"""

    user_profile = models.ForeignKey('UserProfile', on_delete=models.CASCADE)
    todo_item = models.CharField(max_length=150)
    description = models.CharField(max_length=255)
    created_on = models.DateTimeField(auto_now_add=True)
    reminder_date = models.DateTimeField()

    def __str__(self):
        """Return the model as the string"""

        return self.todo_item

views.py

class TodoItemViewSet(viewsets.ModelViewSet):
    """Handles creating, reading, and updating profile Todo Items."""

    authentication_classes = (TokenAuthentication,)
    serializer_class = serializers.TodoItemSerializer
    queryset = models.TodoListItem.objects.all()
    permission_classes = (permissions.UpdateTodoItem, IsAuthenticated)

    def perform_create(self, serializer):
        """Sets the user profile to the logged in User."""

        serializer.save(user_profile=self.request.user)

serializers.py

class TodoItemSerializer(serializers.ModelSerializer):
    """Serializer for Todo Items."""

    class Meta:
        model = models.TodoListItem
        fields = ('id', 'user_profile', 'todo_item', 'description', 'created_on', 'reminder_date')
        extra_kwargs = {'user_profile': {'read_only': True}}

permissions.py

class UpdateTodoItem(permissions.BasePermission):
    """Allow users to update their own status."""

    def has_object_permission(self, request, view, obj):
        """Check user is trying to update their own status."""

        if request.method in permissions.SAFE_METHODS:
            return True

        return obj.user_profile.id == request.user.id

Unexpected Result:

[
    {
        "id": 1,
        "user_profile": 1,
        "todo_item": "Todo Item 1",
        "description": "Sample todo item 1",
        "created_on": "2019-06-06T04:48:59.401451Z",
        "reminder_date": "2019-06-02T04:48:57Z"
    },
    {
        "id": 2,
        "user_profile": 2,
        "todo_item": "Todo Item 2",
        "description": "Sample todo item 3",
        "created_on": "2019-06-06T04:50:08.734365Z",
        "reminder_date": "2019-06-03T04:50:07Z"
    },
    {
        "id": 3,
        "user_profile": 1,
        "todo_item": "Todo Item 2",
        "description": "",
        "created_on": "2019-06-06T04:54:47.919602Z",
        "reminder_date": "2019-06-07T02:00:00Z"
    },
    {
        "id": 4,
        "user_profile": 1,
        "todo_item": "Todo Item 4",
        "description": "Sample todo item 4",
        "created_on": "2019-06-06T05:00:08.004224Z",
        "reminder_date": "2019-06-07T10:01:00Z"
    }
]

Expected result:

[
    {
        "id": 1,
        "user_profile": 1,
        "todo_item": "Todo Item 1",
        "description": "Sample todo item 1",
        "created_on": "2019-06-06T04:48:59.401451Z",
        "reminder_date": "2019-06-02T04:48:57Z"
    },
    {
        "id": 3,
        "user_profile": 1,
        "todo_item": "Todo Item 2",
        "description": "",
        "created_on": "2019-06-06T04:54:47.919602Z",
        "reminder_date": "2019-06-07T02:00:00Z"
    },
    {
        "id": 4,
        "user_profile": 1,
        "todo_item": "Todo Item 4",
        "description": "Sample todo item 4",
        "created_on": "2019-06-06T05:00:08.004224Z",
        "reminder_date": "2019-06-07T10:01:00Z"
    },
]

I have to see only todo_item of user_profile 1 because user_profile: 1 is the user logged in.