My understanding is that the config is available via localhost only. It most instances it does not need to be disabled. I think the hope is that it will be left enabled in production, not disabled.
The default listen address is "localhost:2019", which means it'll only accept requests from apps running on the same machine. If you're running untrusted code on the same machine, then that might be problematic for you. You can also change the admin endpoint to be a unix socket instead of a TCP endpoint which allows you to use linux file permissions to protect it.