I am not that worried about writing a web application properly. But I am just an amateur when it comes to administrating a server. I would be more worried about some security hole in some random service that is running on the server by default, that I never even heard about.
GAE doesn't even use SQL, btw. At least last time I checked they didn't - they seem to be planning to support it in the future, though.
However, even if the server is secure, I suppose if it was known that I am the admin of a BitCoin bank, my home computer would become a target, too. If my home computer would be hacked and I logged into the server, I would be screwed, too. It just seems too risky...
"I am not that worried about writing a web application properly.... I would be more worried about some security hole in some random service that is running on the server by default, that I never even heard about."
While the latter can happen and is broadly easier for a script kiddie, believe me, the former is nontrivial and very rarely done correctly. Your average web app is full of vulnerabilities, and while scanning can't quite be fully automated it's definitely something you can use automation to help with, so don't think you're secure-through-obscurity.
You can still directly append unescaped user input to your query and execute that against your datastore, though the limited capabilities of GQL does limit the attack surface somewhat.
GAE doesn't even use SQL, btw. At least last time I checked they didn't - they seem to be planning to support it in the future, though.
However, even if the server is secure, I suppose if it was known that I am the admin of a BitCoin bank, my home computer would become a target, too. If my home computer would be hacked and I logged into the server, I would be screwed, too. It just seems too risky...