[ruslan_talpa]

because the web api (PostgREST) has a strict control on the types of queries the client is allowed to execute thus preventing DOS attack against the db that force it to run complicated/unoptimised joins or function that use a lot of CPU

[anticodon]

PostgreSQL has built-in strict control also.

[ruslan_talpa]

no it does not, it has control of what data a user can access, it has no control of what types of joins he can do using the tables he has access to or what functions he can execute.

For example anyone can do "select md5(bigtextcolumn) from articles" and kill the db if one would expose the entire sql language to the web. PostgREST protects you agains that.