While checking the release notes for Mendix 6.9.0 I stumbled over this section:
We have also deprecated the NPE attribute-level security for attributes that do not have at least read access. This will also be prohibited in Mendix 7. The reason for this is that non-readable attributes cannot be sent to the client.
Now I wonder why NPE can't have non-readable attributes while a PE still can? And does this also hold for non-readable associations? (there's at least no deprecation warning for this in 6.9.0)
I can only guess that's related to this:
In Mendix 7, the server state will move to the client so that the server will be stateless and can be scaled horizontally
and that's where I expect more to be coming up in Mendix 7 with respect to security.
Does someone have more insight on that topic?