Intuitively I agree with Maciej, although nothing prevents one from invoking EnvironmentImpl.getFromCurrent(Session.class).createQuery().executeUpdate() from a custom or java activity, which makes any protection quite easy to defeat. The update attribute in the hsql/sql activities is enough to prevent unintended updates.