db_rewrite_sql() in Drupal 6 and hook_query_alter() tagged with 'node_access' in Drupal 7 provide a method for modules to extend your SQL queries. For example, a module which controls access to nodes will need to limit the results of your queries, removing any nodes for which a visitor does not have the required set of access permissions.
If you do not make use of db_rewrite_sql() or hook_query_alter(), access control modules won't be able to modify or extend your SQL queries, and you may inadvertently expose content that is meant to be restricted.
It's good practice to always make use of db_rewrite_sql() or hook_query_alter().
Possible exceptions include:
- Queries which carry out internal module work, but which aren't responsible for showing content to users (e.g. queries within cron tasks).
- Queries for administrative pages where it is necessary to show an unfiltered list, and where the user is guaranteed to already have full privileges.