Not enabled by default
"Palo Alto confirmed to The Register that GlobalProtect is not enabled by default, though anecdotal evidence suggests it's widely used."
My experience with firewalls and security products is that no features are enabled by default. Maybe basic NAT routing at most or management access.
If there was a 0-day with e.g. VPN, would the vendor just brush it away saying that feature is not on by default? (not saying Palo Alto is guilty of this)