It can be changed on the client, but the default is set on the server. Someone would have to intentionally change it in order to have this problem. If a malicious user has access to your database, changing the SQL mode is the least of your worries.
Re^3: [OT] Why I don't use Mysql for new projects
Replies are listed 'Best First'.
It still means you have to be wary about who/what you give access to the DB. For some (most?) apps you'd do that anyway, but others might benefit from a more open policy. What if someone has a legacy app build for 4.x ... the quickest way to get it working is just to set the mode to "traditional". It might be a minor thing, but it's something you simply won't have to worry about with Postgres. (Unless there's a way to disable a mode completely on the server, in which case ignore me :)