I am proposing this feature, based on Ruby on Rails permit parameter.
Here is explanation.
In Ruby on Rails, if permit is not called on parameters, database items can not be created/updated.
With permit, developer sets which parameters could be updated.
E.g. on user registration that could be :email, :password, :username.
So if hacker tries to update all possible database attributes using curl, e.g. for user registration token activation time, this would fail.
In phoenix, call to cast method on changeset, should be made mandatory.