Always be threat modeling
Data is a liability. You should consistently be questioning which resources need protection, system boundaries, access capabilities from all sides, and what it would take to feasibly cause a breach.
Dependency Injection is always the answer
There aren't many hills I'd die on, but DI is one I refuse to budge on.
The minor inconvenience of complexity is far out weighed by a code base's ability to be easily manipulated with minimal side effects.
A job done well means not over-engineered
Over-engineering is a complexity that burdens code bases, developers and budgets. We need to encourage each other to solve today's problems, not tomorrows.
Could, would, should
The three most powerful words I use consistently in code reviews. No condescending tones, no orders, just simple open ended questions leading the author to reevaluate and stay in control of their code.
Nesting reduces readability and increases cognitive load. Reduce, or better yet, never nest. Return early and extract code blocks when feasible.
SOLID, KISS, DRY = suggestions, not rules
Extensibility, flexiblity and maintainability should be balanced with future effort and developer sanity and onboardability.
Often times it is okay to repeat yourself, it is okay to be verbose and straightforward.
Naming is hard
Naming and organization is one of the hardest parts of engineering. A poorly chosen name will haunt your code base for years, don't under think it.