Confused about security and model rules

I understand why rules for a CFormModel should only reference attributes that are on the user form. However does this apply to CActiveRecord classes? as these are not used in the same way.

The reason I ask is because I am finding I often have a situation where there is data that needs validating that whilst not being user input, is derived from user input, and I don’t want that derived data being exposed to the end user as it would create security issues. From a neatness perspective it makes sense to put these validators in the rules method of the activerecord. So that I can just call the model validate method to cover all cases. Is there a reason why I should not do so?

An example of derived information would be a decrypted primary key that is stored on the page in an encrypted format because it is needed on post back.

lgoss007 posted an answer here