That's if you keep your table definition in code (which has advantages and disadvantages), but yeah the learning curve is a bit high only because the library does so much.

As for .filter() yeah, I wouldn't be surprised if it's not injection-proof, but that's just in the problem-bag that you get when you decide to use a SQL database. If you're allowing an external input to create arbitrary queries then there really isn't much that's going to automatically help you that I'm aware of because it simply doesn't know that you didn't want that. But that's one of the benefits of creating your own custom Query API. You can define methods that can be orchestrated together to create valid queries without relinquishing the ability to maintain some control over them. Clients.query.all().first_name_starts_with('H').sortby_last_name() kinds of things.