Functions and triggers allow users to insert code into the backend
server that other users may execute unintentionally. Hence, both
mechanisms permit users to "Trojan horse"
others with relative ease. The only real protection is tight
control over who can define functions.
Functions run inside the backend
server process with the operating system permissions of the
database server daemon. If the programming language
used for the function allows unchecked memory accesses, it is
possible to change the server's internal data structures.
Hence, among many other things, such functions can circumvent any
system access controls. Function languages that allow such access
are considered "untrusted", and
PostgreSQL allows only superusers to
create functions written in those languages.