As I unterstood it, JQL is used within a feature called 'Advanced Search' to dig up information stored in my Jira DB. It is a SQL-like query language.
I can compose (and later reuse) a URL that contains a complete JQL query. Example:
Even if I am not logged in to that server, the query hits the database of the (Jira) server and gives back an valid answer. E. g. if I fire the query above against the demo Jija powered by Atlassian, the answer is:
The value 'PVZ' does not exist for the field 'project'.
No issues were found to match your search. Try logging in to see more results
Is this a security thread? Can I expose sensible (Jira related) information by accident if I allow this feature? Can JQL be abused for SQL-Injection? Can I disable this feature for not logged-in user? Should I disable this feature for not logged-in persons?
If you are not logged in to the server, your query will not be executed and you will get no results. Unless the JIRA instance has been specifically set up to allow anonymous viewing of issues, such as jira.atlassian.com
JQL is a separate language from SQL and does not suffer from the same kinds of injection risks that I know of.
I recommend reading about JRIA permission schemes particularly the Browse Project permission