Can anybody comment on how security is handled in Om? How do you ensure that certain parts of the database (which may depend on complicated rules) are not inadvertently exposed to the client?
In short that's up to the developer. It would be like asking how does Redux handle security? Well it doesn't, it just dispatches an action object to functions, the functions you wrote.
Om.next takes code you writes and makes it go.