It sounds like they listen on localhost by default (http://docs.mongodb.org/manual/reference/mongod/#options), though i'm not sure if that's always been the case. It's also possible installers change the default behaviour. (i.e. when you install via apt, yum, homebrew, etc.)
Good point, it might have changed recently and last I installed it on Ubuntu it listened on 0.0.0.0. It certainly would make a lot more sense to listen to localhost by default, which is what most daemons do.