The isolation of companies is strongly enforced by BQL, and you won't be able to retrieve data from another company unless you're logged into this company. The ORM also takes care of returning you the data from other company IDs if this data is split/shared with another company. As you have noticed, for tables that don't contain a CompanyID field, the system returns all the data contained in this table.
You are also not allowed to run direct SQL queries unless you go through a stored procedure, and you won't be able to open a SqlConnection unless you modify the default security policy (SqlClientPermission inside web_project_x.config). Allowing direct SQL queries could potentially make the application vulnerable to SQL injection, and also makes the data of other companies 'permeable' -- although most installations use a separate database for each registered customer, Acumatica is also used in fully multi-tenant environments, and we need to ensure there is proper isolation between the tenants (customers).
If you are developing an ISV solution that is intended for multiple Acumatica customers, I would strongly advise that you avoid techniques to bypass the ORM. Such solutions will not be certified by Acumatica and I consider them suitable only for one-off customizations. Instead, you can use one of the following ways to get to your data:
- Create a special table without a CompanyID which would store data available to all companies
- Use web services to connect to other companies
- Use a PXLoginScope block to temporarily run code under the identify of another user in another company
- Create a SQL View that is bound to a BQL table of the same name
- Call a SQL stored procedure which aggregates data from multiple companies (and omit the CompanyID field in the resulting view)
Another argument for sticking with BQL is that your code will work transparently on MySQL and SQL Server. If you rely on a SQL view or stored procedure, you will have to create different versions to support both platforms.