All objects of entities used on pages in the hybrid offline profiles will be downloaded after initial login. After that only changed objects on synchronization. You need to make sure to implement to proper access rules on these entities because entity access is enforced on syncing. So only let users read there own orders (path to owner) or only orders which were made in the last 7 days, or someother rule of choice.
If this is not possible, you might need to set up a dedicated module in your application for the offline functionality which contains shadow entities of your real entities and enforce your own logic to sync items from one module to the other. Either way, it’s a bit of a hassle right now but will get much better with some nice options in Mx8.
The answers to all above question can be found in the Mendix Docs regarding offline functionality, also how this can be customized to limit this amount.