Depends on the context. Both methods are safe when well designed.

Several of our customers using geOrchestra edit layers directly in the database, while others use WFS-T, relying on GeoServer's native layer + services security.

If the database is not your only source for layers, you might consider WFS-T which is more flexible when it comes to setting up the ACLs.