what if you have endpoint user/tasks/{id} and you dont put validation if you have access to this task but when you make call to the db you use the filter task = id and userid = token.userid ?
too late better than never ; you waste a call to the database (sometimes costly, and it can stack up), you break single responsibility principle (data layer is not responsible for auth), you make testing, auditing and maintenance difficult (change of schema? distributed databases?). There must be even nastier and more obvious things I don't see from a security standpoint, but these reasons are already enough in terms of best practices.
