On Tue, 2025-05-20 at 13:07 +0000, PG Bug reporting form wrote:
> If an attacker gains privileges on a table, they can exploit triggers to
> modify or exfiltrate data from other tables, provided the trigger can be
> activated by either a superuser or a user with privileges on the target
> tables.
That's working as designed.
If a superuser performs a data modification on a table owned by an
untrustworthy user, it is "game over".
That is one of the reasons why you should use a superuser only for tasks
that require superuser privileges.
Yours,
Laurenz Albe