Re: “accidentally left open” is incorrect...
It only takes use of a tool uploading an object with a “public” ACL to make some content public.
It’s easily done: one of my colleagues had it happen with some autogenerated CI reports, not fully appreciating the significance of HTML in an S3 bucket that they could directly access via a web browser (it had a “complex”URL path, but required no authentication)
You can write an S3 policy to prevent public ACLs on objects, at the expense of breaking tools like the above, but it’s hard (impossible?) to write one that enforces access to only IAM users from your account - unless you are willing to modify the policy for every user you add or remove.