Currently you need to make sure the parameters provided aren't vulnerable to dependency injection. Basically this means: do not just concatenate user input. If you are generating the parameters yourself you can make sure there is no sql injection happening.
We will improve this in a future version of the database connector: once we have string template parameters for java actions, jdbc bind parameters will be used.
Proper security is indeed a broad understanding. What's important here is that you make sure the security is correctly configured on entity level for the concerning entities and that the concerning microflows have the setting "Apply entity security" set to "yes"