I see a lot of people using literal in the query builder:
That's a terrible approach: it's basically the same as concatenating values in your query, and therefore vulnerable to injection attacks. => actually no, strings are quoted
I suspect people do that in methods that rebuild the query every time, which is inefficient.
add a section in the main query builder manual page, to explain better alternatives: build with bind markers and provide the values separately, or prepare
add a warning in the literal() javadocs