Re: "...open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network"
Nothing wrong with that, so long as they know what they're doing, such manually specifying the DNS servers they're going to use, and sending data via an encrypted tunnel (VPN, SSH, etc), preferably on a service which has 2FA built into the authentication
(DVR / Cameras)
I suspect these (L)users just plug the device in and voila UPNP enabled router opens ports up, included also is an API horrorshow? as part of the registration?
I've read about some of these ill-thought out API systems, dude buys camera, registers it, then sends it back for refund, they dont want it anymore for whatever reason. consumers rights etc. Another dude buys the same camera that was returned, the previous owner can now see inside the new owners home via their "account", but the new owner has no idea, its also registered to his account. In other words the software engineers didnt bother to think about this very highly likely scenario
Literally the most stupid people are allowed to design IoT products, and more
Definitely and where possible also with 802.1x wired authentication