Hitting this exactly. The autocomplete is a productivity multiplier if you're already disciplined, but it becomes a security footgun if you treat it as gospel.
What actually worked for me: disabled inline suggestions entirely. Use Cursor's chat for architecture decisions and code review instead. The latency forces you to think before accepting.
On your specific examples, those aren't Cursor failures. Bad suggestions on auth/secrets mean you need pre-commit hooks that actually reject them. That's not optional with any AI tool, or without one.
The "review will catch it" assumption breaks at velocity. Automate the catches instead.