[beachy]

Using an ORM to enforce security is like wearing your motorbike helmet down to the store in case a bird shits on your head.

Yes, it will help prevent bad developers from introducing sql injection vectors, but with a whole lot of extra baggage coming along for the ride.

And there are other application security scenarios involving database where the ORM gives you nothing, such as always forcing a "tenant = " filter in a SaaS scenario (which some database engines do support).