Remember, most SQL statements can be executed from the context of a PL/SQL block, and PL/SQL blocks can be executed from SQL*Plus. Therefore, if you limit a user’s access to a particular SQL command but allow the user access to the BEGIN, DECLARE, and
EXECUTE commands, a determined user could simply couch a SQL statement in the context of a PL/SQL block.
If you are limiting access to any SQL commands, you should also limit access to these PL/SQL commands–or else you are depending on the
lack of sophistication of your user for your security.