[pdkl95]

> they have no proof of a real world vulnerability

So what. This "default allow" attitude is easily more damaging than any other source of security problems. You (or anyone else) cannot know all of the ways exposing new data could be exploited, or might already be exploited in ways that we are not lucky enough to know about.

Caring about security - which includes the future unknown unknowns you don't yet know to even look for - means minimizing what is exposed to the public attack surface to what is both needed (which does not include anything merely "wanted") and demonstrated/proven to have trivial risk with known limits.