> An underlying question is whether security exists to protect the
> careless from themselves? A developer who allows procedures to execute
> arbitrary SQL in an application with sophisticated security rules is
> careless at best. Or do we want to make it possible to build systems
> that use all the capabilities of the system together?

I think both security principles for EXECUTE STATEMENT have rights
for existence. We can extend syntax of EXECUTE STATEMENT for example :

EXECUTE STATEMENT ... [WITH {USER | OWNER | PROCEDURE} RIGHTS]

where

USER means that statement will be checked against caller user rights -
this is current behavior and must be default

OWNER - statement will be checked against rights of that user who create
procedure\trigger containing this dynamic statement

PROCEDURE - statement will be checked against rights of procedure\trigger
containing this dynamic statement

Regards,
Vlad