Re: You call them "policies" I call they default settings.
It *is* default!
However, if you are delegating control over a bucket within an account, you end up with some herp-derp for whom "IAM 101" might as well have been in Minoan Linear A who, after 2 failed attempts at secure access, just sets public on their bucket.
This is a ... I believe in the UK the favourite term is now "backstop"?