No, they’re not.
They’re design choices where the default that has been chosen is dangerous for somebody deploying the software. Plenty of web apps do not have those pitfalls.