Yeah, you're absolutely right. I think I just realized the answer. Basically when an attribute is not attr_accessible, you want to set it inside your controller directly, which makes it impossible for it to be set with a rogue request like I mentioned above. Also, if your controller is setting a variable directly from params, that's when you know something is wrong and that that variable is basically attr_accessible.
Thanks Flo