The following won't break (at least not in the bad way), I don't think:
$sth = $dbh->prepare("SELECT document FROM table WHERE tag=? AND security_level=?");
$sth->bind_param(1,foo());
$sth->bind_param(2, $user_level);
$sth->execute();
Ah yes, but that's a slightly different feature to the one demonstrated by the author (https://www.youtube.com/watch?feature=player_detailpage&v=gw...). However that's not to say that the vulnerability you raised isn't also a serious one developers need to be mindful of.