Bascily every time you don’t use a core controller You need to senatize input and output not doing so.
not doing so means that your private fields are filterable if you don’t senatize the input or in the output if you don’t senatize the output
what means that if there is a connection to your admin user somewhere you can be hacked