Sort of. ES >= 2.0 only binds to localhost by default, so it's at least not by default exposed to the internet. Versions < 2.0 suffer from exactly that flaw: No auth, bind to all ports.
I think this is still a cop out: first thing junior will do when he can't connect to his database from home is google it, then find out how to bind to all ip's. Network access is BARELY viable access control, as it's too easy to fail open.
I absolutely agree with you. One of my biggest issues with ES is that authentication (even basic) and encrypted intra-cluster communication requires a (commercial) plugin. Either shield, which is not available as a standalone piece of software or SearchGuard, which is sort-of-free with limited functionality. I do consider those basic functions that should be available out of the box.
The basic version of Search Guard provides TLS/SSL encrypted intra-cluster communication and also HTTP basic authentication totally free of charge also for commercial projects. Only for authentication methods like LDAP or Kerberos, or for advanced features like Document-Level-Security and audit logging a license is needed. Disclaimer: I work for floragunn/Search Guard.