LIVE FROM DRUPALCON SZEGED. This idea came out of a session that Ken Rickards gave on node_access.
When you do a "SELECT FROM {node}", you should typically also wrap this in db_rewrite_sql. Since this is a security issue, but not a hard and fast rule, the rule should say something like "you are probably doing something wrong."
This is an issue, because writing the issue is a little difficult (otherwise I would of just written it). I'm sure that we could write a regex that works on the '#source' => 'all'. But it would be nice to implement a rule hierarchy, such that we could regex look for SQL lines with {node} that do not have (grep_invert) db_rewrite_query.