I believe since version 3.1, the pages now have Page Access Protection. Use this feature to the fullest to protect the sensitive pages in your application. Without this malicious users can tamper with the URL and do harm. It's available under Page Attributes -> Security -> Page Access Protection. I recommend using "Arguments must have checksum". This will ensure that a checksum is appended to the URL that is specific to only that specific instance of the URL and cannot be manipulated.
In addition, you should also use another mechanism to secure the sensitive buttons, pl/sql processes in the page.