Yes, and I remember precisely how many apps just encoded the DB credentials inside of the code - with no access/rights abstraction whatsoever. So basically godmode. Thats why we use service layers in Apps today (REST, SOAP etc.) instead of granting a user's process godmode access to the DB.
Why godmode? If your DB user is restricted to specific tables and columns, he is controlled.
If you eventually get access to the data, does not matter how many layers are in-between (REST, SOAP). You still got the data, so that's a "god mode" in the same sense.
Row/Table level access controls don't work; you can't model use cases like "a user may not insert an order if he has 3 ore more unpaid invoices" or "a user can not insert anything until his password was changed in the last 30 days" etc. We have been there, it doesnt work. Thats why we use service layers of the DB to assert business logic.
