The answer is: If he does not "create custom SQL functions (or virtual tables) that have side-effects", then there is no way that Richard Hipp sees for "the attack vector" (mentioned in this thread) to apply in that usage. (And note that this is not the same as the more general "exploitation".) By "create custom SQL functions", Richard means functions that did not come with SQLite, and are loaded in the course of that usage. By "create custom ... virtual tables", Richard means virtual tables that did not come with SQLite, and are loaded in the course of that usage. The possible "side-effects" of concern are actions possibly taken by the custom function or virtual table code when input is other than expected, actions which, if not prevented, might include mischief of various kinds. I spell the above out because it is obvious (to me, at least) from Richard's reply. It is also clear that his reply was predicated on the stated use of SQLite v3.32.1, and cannot be applied to an arbitrary earlier version. Your unheard friend/advisee, if such custom code is loaded, needs to evaluate that code for vulnerabilities it may have when an arbitrary database is used. (Edited to add caveats.)