Ok, I've done some more reading and I think that I have this down now.
Somebody tell me if I'm on the right/wrong path.
attr_accessible lists attributes that are open to mass-assignment. So,
for security reasons, we shouldn't allow anything in attr_accessible
that we wouldn't let the user define themselves.
Active Record automatically creates setter/getter methods for columns in
databases - since my users table has a "name" column, for example, I can
use @user.name in my models/views/controllers and it'll just work.
However, when I want to use a virtual attribute (something that isn't
persisted in the database but that I still want to manipulate in Rails,
like @user.signing_up), ActiveRecord can't do that for me, and I have to
make setter/getter methods for that myself. I can make those with
attr_accessor, but they won't be mass-assignable, and so they won't be
vulnerable to mass-assignment attacks.
Finally, since the whitelist approach to security is better than the
blacklist approach, attr_protected should just be ignored.
Do I have all that right?