People are using LLMs to generate apps and it's easy for non-technical people to miss this stuff. The blog post mentions https://lovable.dev/ becoming a $300M company, which uses Supabase by default and basically generates React SPA's with no true backend. But random people won't understand this distinction and will want to create full real apps. Doing this serverless is tricky and requires a lot of careful thought to do right.

Lovable is not going to tell them to use a proper auth service or fully secure their data. One Lovable project I looked at had generated an entire custom JS Markdown parser instead of using react-markdown, for example.

My experience is watching a colleague use lovable which will mostly ignore security. Sure, if you prompt it the system will do something which seems correct, but it will also happily undo that as well.

eg I was trying to help her set up a webhook listener, and it undid our efforts.

These tools seem incapable of building software in the hands of users who don't understand security already.

You assume people read. :)