Generally, since you are storing this in a DB, I would tend to recommend a Gateway Timer Event. The event would then check the PLC's copy of the structure against the DB copy and then choose to record a change or not.
You could also achieve this with a Gateway Tag Change Event on a Trigger Tag, then the device could be responsible for triggering the database operation.
It's less about security and more about execution time. Tag event scripts run in a limited thread pool, so best practice is to not execute potentially long running tasks there. Doing so can lead to missed events.
Here is a discussion on the topic.