I agree that the transactional state of an object can affect the result of an by association retrieve vs a database retrieve.
But I dont see the security risk, because when you dont have access rights on the referenced object, the return will be empty incase of a dirty set association. If it would happen, your access rights aren't correct.
Next to that I agree you should always make the right choice and there are many cases where by association could be quicker, but from DB is correct
One example can be found in the rapid developer course, when calculating the NrOfRegistrations.
First retrieve is retrieve of the associated TrainingEvent by association. This is correct and the quickest, as it happens after the commit of the context object registration. If from database would return something different than by association, you have big problems. (Not being the retrieve itself)
While the second one is from database. Retrieving all registrations of the just retrieved TrainingEvent. When you would retrieve them by association. You could retrieve uncommitted registrations and thus the count would be wrong. And also, dB retrieve + aggregate will be optimised to count/sum/... Select instead of a retrieve