not really from a security aspect in the purest sense, but it would have prevented friendly users from accessing information that is not intended for them. I’ve already seen the issues with the client based data plugins and you are correct that grafana offers nothing in the form of data source protection. Proxies or database security is needed to prevent accessing unauthorized data.
I have wondered why there is not a separate “free text” template variable that would have been used for this purpose but this “feature” explains that a bit.
Maybe a checkbox that would prevent friendly users from doing things outside of what the dashboard designer intended would have been nice…?