Firstly you won't be able to stop someone who has access to the database or the root user from seeing the data (at least not without some encryption).
In terms of normal site operation this isn't too hard to do. The two hooks you need to invoke are hook_node_grants() and hook_node_access_records(), there is quite a good example, which also pretty much does what you want in the question, here.
Put simply hook_node_access_records() returns a structure detailing relms and ids which can perform actions on it, and hook_node_grants() returns the relms and ids for a user. If there is a match between the two then access (read or write) is granted.
This gives you a lot of flexibility. One example would be that people could only read nodes created by other people with the same star sign. In hook_node_grants you would examine the user object to get the starsign and return $grants['starsign'] = 2
When a node is saved hook_node_access_records would have to check the star sign of the user who created it do something like:
$grants = array();
$grants[] = array(
'realm' => 'starsign',
'gid' => $account->starsign,
'grant_view' => 1,
'grant_update' => 0,
'grant_delete' => 0,
'priority' => 0,
);
return $grants
That way if the relm and group id match the user will be given read access.