Supabase is really tough to make secure, and it is probably a poor choice if you are interested in vibe coding. Row Level Security is likely to be insecure if the author author doesn't have a deep understanding of Postgres or isn't paying careful attention to all of the generated code relevant to the database.
Is there a low-code backend/full-stack which is secure by default? I remember some clunky UI to define filters and projection in Firebase. Can a Django/Laravel app weekend project get there before Supabase?
Just "vibe coding" something minimal in a Cloudflare Worker, or even, ironically, a Supabase Edge Function that directly connects to the DB would 9 out of 10 times lead to something more secure than using RLS. The LLM will always default to RLS when using Supabase as that's what they promote the hardest in marketing materials, so that's what it's trained on.
Secure by default? No such thing by virtue of the fact that security is case dependent.
That said, all of the full fat frameworks make it pretty easy to define what should and shouldn't be visible to what users, the use case that he has would not have been harder to do using rails, phoenix, django, etc as a backend, and it would have been very easy to control the failures that he had.
It doesn't have to be full fat, it can be literally anything as long as it provides a backend layer inbetween the DB and the FE. It can be a single Typescript file that uses literally whatever the LLM defaults to, probably Express given its training materials, or Hono for something more modern, or any of the 1000 other options.
I think that this is the answer. Maybe someone who is great with Postgres Row Level Security will have an OK time with Supabase security, even if they are vibe coding. They wouldn't think of asking the AI for something that won't work.
