Sure, I agree with that behavior assuming the user wants the security. If the user wants to disable it, they should be able to do so. It's awful to assume users can't make the decision for themselves.
To be clear, this bug is about arbitrary code execution on another machine as soon as a user on that machine opens an email with Emacs that has a malicious org atrachment. It is not about the user opening one of their own files and the user has no chance to preview the code before executing it. So it is a perfect remote takeover of any machine that happens to use a default Emacs for email.