This actually isn't true. One can easily remove the "autopublish" package to disable the behavior of publishing all data to the client, and selectively publish only certain records to the client. Then, all client-side database modification methods can be disabled, and using server-side functions, an authentication system can be built and you can build your application's logic.