Create action does not honor database policy

In the current version the create action does not honor the specified database policy, which means that a request can create a new row in the database even if that row is outside the scope of the defined policy for that request. For example if I have the following entity:

"Todo": {
  "source": {
    "object": "dbo.todos",
    "type": "table"
  },
  "rest": {
    "path": "todo"
  },
  "permissions": [
    {
      "role": "anonymous",
      "actions": [
        {
          "action": "*",
          "policy": {
            "database": "@item.owner_id eq 'public'"
          }                                    
        }            
      ]        
    }                
  ]
}

I should not be able to send a POST request like the following:

curl --request POST \
  --url https://localhost:5001/api/todo \
  --header 'Content-Type: application/json' \
  --data '{   
  "title": "Testing policy",
  "completed": false,
  "owner_id": "hack!"
}'

but of course it works right now as the generate INSERT statement is the following:

INSERT INTO [dbo].[todos] ([title], [completed], [owner_id]) 
OUTPUT Inserted.[id], Inserted.[title], Inserted.[completed], Inserted.[owner_id] 
VALUES (@param0, @param1, @param2);

my proposal is to change the way the INSERT is generated so that DAB will generate the following SQL statement:

INSERT INTO [dbo].[todos] ([title], [completed], [owner_id]) 
OUTPUT Inserted.[id], Inserted.[title], Inserted.[completed], Inserted.[owner_id] 
SELECT [title], [completed], [owner_id]
FROM (VALUES  (@param0, @param1, @param2)) T([title], [completed], [owner_id])
WHERE [owner_id] = @param_from_policy

so that all values that are not compatible with the policy will be filtered out by the WHERE clause (as it happens for other statements)