> added no value

It gives you an API explorer, routing, ORM, validation, error normalization, authentication, authorization via ACL, and more out-of-the-box. I'd consider this value.

> had lots of obvious vulnerabilities

I'd like to know more about this. The only thing I can think of is bypassing ACLs via fetching records and including relationships. I don't know of any framework or combination of libraries that doesn't have this vulnerability.

> LoopBack 3 was terrible - complicated

This is probably true. LoopBack 3 essentially uses a single model to represent your API and data model. This is the single responsibility principle taken to the extreme opposite. It's a complete nightmare at times. If you have an exact one-to-one mapping of your API to database, this may not be a problem.

> unless the entire team and philosophy behind it has been replaced

Loopback 4 seems to be the same team, but I believe they have learned a lesson on coupling. https://loopback.io/doc/en/lb4/Crafting-LoopBack-4.html

> Models are overloaded with multiple responsibilities, such as data representation, persistence, and mapping to REST.

They have a way to go to reach feature parity with LB3: https://github.com/strongloop/loopback-next/issues/1920.

BTW, I also miss Rails.