They ARE secure by default with only the private owner account having access - adding public access requires permissions to be granted by an administrator.
However a combination of the JFDI approach to problem solving and admins assuming they are JUST granting filesystem permissions and something else will manage security (i.e. the typical on-prem model) means mistakes are made.
Biting the hand that feeds IT
