The issue with Meteor was that all clients have full write access to the server-side database, including other users' data. Which is problematic, to say the least.
This actually isn't true. One can easily remove the "autopublish" package to disable the behavior of publishing all data to the client, and selectively publish only certain records to the client. Then, all client-side database modification methods can be disabled, and using server-side functions, an authentication system can be built and you can build your application's logic.