These controls are designed to be entirely secure. This means that they are designed to: not reveal any information about table or field names in the database, not allow editing of fields; rows; or tables by fiddling with requests, and not be susceptible to SQL injection. I highly encourage you to verify the security for yourself on the example; if you can break the security (i.e. fiddling with requests in a way that lets you change or view data that could not be changed/altered without fiddling with requests) I will add your name as a contributor to the source code.
The one thing that the coder needs to be sure to do is prevent arbitrary user input from entering into an AcField parameters. For example calling ->load_unchecked($_POST['some_variable']); would be a big security no-no. Additionally, tables, fields, and primary keys should never get passed from/through the client (i.e. AcField("AcTextbox", $_GET['field'], ... ).