Leaving databases exposed to the internet with no authentication is "common practice":
https://www.securityweek.com/thousands-mongodb-databases-found-exposed-internet That doesn't make it "good"!
Even with good review processes, it's easy for someone to sneak in, change some SQL in the table, download/delete some data, then switch everything back to cover their tracks.
The risks are way higher with this method compared to static SQL in your code.
If you have review processes in place, why not put the SQL in code and review that?
This will also save lot of $ to business and makes development easier and improves quality. Can you explain exactly where these savings will come from? And how this leads to better quality than reviewing SQL in your code?