[array_key_first]

Row level security is absolutely fine.

Most companies, or at least the ones I've worked at, don't use row level security at all. Instead, the application just accesses the multi tenant database.

It's absolutely littered with broken access control vulnerabilities. You have to remember to put the user key and group in every query across the entire application. And then there's dynamic queries and ORMs, which make everything worse. Now you cant even audit the source code, you have to observe behavior.

Most people don't know their applications have these vulnerabilities, but they're very common.

[staticassertion]

I have never suggested that there's something wrong with RLS nor that RLS and an application should be mutually exclusive, as I've pointed out multiple times now.

[array_key_first]

Right, I'm just saying that, in practice, most web applications don't use it. From what I've seen. So in a relative sense, this is an improvement. And I think that's generally how we should view security. Within the context of the threat model.