[Nextgrid]

There is security and there is cargo cult. "unprotected" really depends on what the user is using the device for, what the vulnerabilities are, and what's the worst thing someone with total root level access to the device can actually do.

If the device is using a read-only firmware, has a secure boot chain of trust, lives behind a firewall and only makes outgoing connections, the risk is very limited. You can't directly connect to it, so your only option is to tamper with traffic in transit and exploit some buffer overflow in how it parses replies to its requests - that's already a very targeted attack that's really hard to scale, and with an intact secure/trusted boot chain it still means you can't persist so you'd need to redo this every time the device is rebooted.

And finally, assuming you manage to do all the above, what't the payoff? For a "Car Thing", the payoff is quite limited. I guess you can blast obnoxious music at full volume against the user's wishes?