Yes, this is a central issue in sync. For most applications, sync engines just aren't useful without some solution. Of course you need to validate inputs, support fine-grained permissions, etc., as developers have done with web apps for eons.
In Replicache, we addressed this by making your application server responsible for writes:
By doing this, your server can implement any validation it wants. It can also interact with external systems, do notifications, etc. Anything you can do with a traditional API.
In our new sync engine, Zero (https://zerosync.dev), we're adding this same ability soon (like this week) under the name custom mutators:
In Replicache, we addressed this by making your application server responsible for writes:
https://doc.replicache.dev/concepts/how-it-works
By doing this, your server can implement any validation it wants. It can also interact with external systems, do notifications, etc. Anything you can do with a traditional API.
In our new sync engine, Zero (https://zerosync.dev), we're adding this same ability soon (like this week) under the name custom mutators:
https://bugs.rocicorp.dev/issue/3045
This has been a hard project, but is really critical to use sync engines for anything serious.