Just write SQL queries, sanitize them, use unix users or selinux to restrict system users.

It has it's dangerous spots, and it's uncomfortable spots, but we pretty much know all about them already, and usage is heavily documented.

Or you can try ORM74 and hope it is faster and more secure than THE standard way. Gamble away.

Or maybe try Framework 74b which abstracts away the ORM

Just "vibe coding" something minimal in a Cloudflare Worker, or even, ironically, a Supabase Edge Function that directly connects to the DB would 9 out of 10 times lead to something more secure than using RLS. The LLM will always default to RLS when using Supabase as that's what they promote the hardest in marketing materials, so that's what it's trained on.

Secure by default? No such thing by virtue of the fact that security is case dependent.

That said, all of the full fat frameworks make it pretty easy to define what should and shouldn't be visible to what users, the use case that he has would not have been harder to do using rails, phoenix, django, etc as a backend, and it would have been very easy to control the failures that he had.

It doesn't have to be full fat, it can be literally anything as long as it provides a backend layer inbetween the DB and the FE. It can be a single Typescript file that uses literally whatever the LLM defaults to, probably Express given its training materials, or Hono for something more modern, or any of the 1000 other options.