$fillable Has No Context: Why Mass Assignment Breaks Down at Scale

Mass assignment in Laravel is one of those things that feels like magic at first. You see it in every tutorial: just toss your validated data into Model::create($data) or $model->update($request->validated()), set up your $fillable, and you're off to the races. For quick projects? It works. But when your app starts to get bigger, what once felt convenient can start to cause real trouble. The Usual Approach Let's be real-most controllers start out pretty much like this: // OrderController.php public function store(OrderStoreRequest $request): OrderResource { $order = Order::query()->create($request->validated()); return OrderResource::make($order); } It's clean, it's simple, and it just works. You throw whatever new fields you need into $fillable, and data slides right in. But your Order model slowly grows. You add billing fields, delivery options, status flags, internal data. Suddenly $fillable looks like this: protected $fillable = [ 'user_id', 'manager_id', 'number', 'pri