I would expect authorization and validation to be a real pain with PostgREST (I don't know enough about it to tell definitively, though).
Even row-level access control, while not widespread any way, is often not enough. Complex validation in SQL can be done, of course, but SQL isn't exactly meant for these things, IMHO.
Maybe I just don't like the idea of putting all my application logic into SQL statements.
What I like about Django's ORM, for example, that you can declare a field to be an IP address, and this not only does the validation (which SQL can do easily, I am sure), but this declaration also carries over to HTML forms, admin interface, REST API serialization and HTML Templates.
I know more than basic SQL. Maybe I am indeed not an accomplished enough master in SQL, but I can't see why I would ever prefer SQL over Python in terms of defining application logic.
Even row-level access control, while not widespread any way, is often not enough. Complex validation in SQL can be done, of course, but SQL isn't exactly meant for these things, IMHO.