Last night I did a quick vide-coding session in Cursor for an iOS app that does currency exchange conversions. One of the key requirements in the PRD was to store the API key securely. First round of coding put the key in plain text right in the code.
So yeah, human oversight is definitely a thing.