I will bring this up with the SQL Anywhere team. However, for the record, I don't see this as a serious security issue, unless I am missing something fundamental.
I don't disagree that this *could* happen, but there are just too many security destroying pre-requisites that need to occur for it to happen. Two of the biggest IMO are that the attacker has to be on the client network and have completely compromised the database server machine (not just the database server process). Both of these things are way way way bigger breaches than what you are talking about in most cases. If they are already into the network that far, the database client security isn't going to prevent an attacker from doing damage.
On top of that, they would need to reverse engineer the complete SQL Anywhere communications protocol (not just the file access pieces) to fool the client into thinking it is talking to a server, and the client application would have actually issue the commands in question for the mitm to inject a malicious read/write. If the application never issues LOAD/UNLOAD table from file, or uses the read/write file procedures, that would be sufficient to prevent this attack.
Given this information, can you give me more information on why you think this is so serious/important to fix?
--Jason