It appears that in some database adapters (KnexJs in particular), it's easy to circumvent certain query restrictions created by hooks and services by simply adding an $or query filter on the client side. Since this could potentially open up a big vulnerability, it might be worth taking a closer look at all the database drivers to see if the situation can be improved or at the very least making sure users are aware of the security risk.