I've been using LoopBack 3 in production for 18 months.
> added no value
It gives you an API explorer, routing, ORM, validation, error normalization, authentication, authorization via ACL, and more out-of-the-box. I'd consider this value.
> had lots of obvious vulnerabilities
I'd like to know more about this. The only thing I can think of is bypassing ACLs via fetching records and including relationships. I don't know of any framework or combination of libraries that doesn't have this vulnerability.
> LoopBack 3 was terrible - complicated
This is probably true. LoopBack 3 essentially uses a single model to represent your API and data model. This is the single responsibility principle taken to the extreme opposite. It's a complete nightmare at times. If you have an exact one-to-one mapping of your API to database, this may not be a problem.
> unless the entire team and philosophy behind it has been replaced
> added no value
It gives you an API explorer, routing, ORM, validation, error normalization, authentication, authorization via ACL, and more out-of-the-box. I'd consider this value.
> had lots of obvious vulnerabilities
I'd like to know more about this. The only thing I can think of is bypassing ACLs via fetching records and including relationships. I don't know of any framework or combination of libraries that doesn't have this vulnerability.
> LoopBack 3 was terrible - complicated
This is probably true. LoopBack 3 essentially uses a single model to represent your API and data model. This is the single responsibility principle taken to the extreme opposite. It's a complete nightmare at times. If you have an exact one-to-one mapping of your API to database, this may not be a problem.
> unless the entire team and philosophy behind it has been replaced
Loopback 4 seems to be the same team, but I believe they have learned a lesson on coupling. https://loopback.io/doc/en/lb4/Crafting-LoopBack-4.html
> Models are overloaded with multiple responsibilities, such as data representation, persistence, and mapping to REST.
They have a way to go to reach feature parity with LB3: https://github.com/strongloop/loopback-next/issues/1920.
BTW, I also miss Rails.