A friend recently came across a project with no RLS and described it as "a once in a lifetime fuckup, a career defining moment, you could shitcan them but they wont learn how to fix it, either way they need adult oversight".
And once you find some dumb low-hanging fruit like that, you usually discover that the vibe-coded ignorance is fractal, especially with TypeScript projects where people assume that you define something in an interface with a given type that the user will always supply that - and your user will always be the app you wrote - and duck-typing doesn't exist.
Maybe worth scanning the various Android app stores? It's incredibly depressing.
For Android/iOS, I know those are even worse, but it's tricky to get the data, might be easier to get and decompile the APKs though.