[VTimofeenko]

Right, in DBs it's proper param binding + prepared statements.

I see what you're saying, makes sense.

FWIW there is (in analytics) also RBAC layer, like "BI tool acting on behalf of user X shall never make edits to tables Y and Z"