Hi,
The users module uses MySQL, where as the core.data module is Mongo. There is no access to the users through any of the database methods.
If you wanted to build your own user system, you would want to do that with a custom server-side api. The core.users module should be able to handle most needs though.
I did do another security audit and patched up a few things in the 2.3.1 upgrade/release. At this time there is no way to manipulate any user based data except through the users module.
-dev