Audience question: embedding SQLite inside the application process trades away the isolation security principle that a separate DB process provides, enlarging the attack surface — is the performance win worth it? Margheim: the trade-off is real but symmetric. A separate DB process is one more thing to harden; a single attack vector is one thing to harden. If an attacker has shell on your single machine you're probably hosed anyway. Do the absolute-best-security analysis only when your application actually requires hardened multi-layer security; for many apps, choosing tools to maximize leverage (20% effort for 80% value) is the right engineering judgment — obsessive best-of-breed-per-slice reflects a wrong mindset about doing the job well.