Not having to write a backend sounds alluring. If I were to extend your app, where would I put authentication and permission checks, and input validation (so no crummy input can be saved to the database)? Right now, every client effectively has full control over the database, correct?