no it does not, it has control of what data a user can access, it has no control of what types of joins he can do using the tables he has access to or what functions he can execute.
For example anyone can do "select md5(bigtextcolumn) from articles" and kill the db if one would expose the entire sql language to the web. PostgREST protects you agains that.
For example anyone can do "select md5(bigtextcolumn) from articles" and kill the db if one would expose the entire sql language to the web. PostgREST protects you agains that.