Flowable identity links


I just want to confirm following:
identityLinks are used to store relations (e.g. participants, candidates) for processes and task. The only constraints there are put on processInstance, processDefinition and task Id_ columns.
So in fact User and group columns can contain any value.
Queries can search for User/Group values.
And there is no restriction based on the relationship stored in the ACT_RU_IDENTITYLINK table. (e.g. I can not complete task if I am not candidate user (because security is not implemented on the engine level)

Am I right?