Keith Medcalf in post #17 has clarified everything I've written and we'll try his solution.
>I still believe that, provided that no custom functions or virtual tables are being linked/loaded. (Whether such custom code might be run in your (friend's) application is not evident here.) If such custom code is in the application image as finally loaded, then (as I said before) it will need to be examined for the possibilities arising from execution of arbitrary SQL. If it is well designed, without intentional side effects (such as running shell scripts to process SQL-provided text) and without unintentional side effects due to coding flaws, then it may well be immune to the sort of attack discussed in this thread.
The open source application code literally does nothing more than what the (PHP) code in the video showed, specifically the lines of python in use here are
>db = sqlite3.connect(file)
>cursor = db.cursor()
>cursor.execute("SELECT ABC, DEF FROM TABLE")
Then it reads the data and does absolutely nothing unusual with it other than convert to utf8/base64 for example.
The proof of concept exploitable lines in the video are literally
>$db = new SQLite3($fileDB);
>$Datax = $db->query('SELECT BodyRich FROM Notes');
Thank you (and everyone else) for the help. I will try post #17's solutions and see if they help him out.