alt Hacker NewsI must have missed that in the comment stream.
It's not really any different than using pgbouncer or something similar. All it buys you is not having to use the PG protocol on the client.
There is no extra security here though. One could even argue you lose security here, since now you have to rely on the app to not get tokens confused, since they hold and use the tokens on behalf of the user. A single bad CVE in the app and one can become any user the app currently knows about.
I think the conversation is suffering from trying to solve a problem that's underspecified, which is going to just lead to a lot of "what if" questions. I've explained my concern with relying on a single boundary, which should not be contentious and I have given multiple examples of potential additional controls.