> "Everything is ease-of-use optimized, to the point that you can query Mongo via the browser console."
meteor remove autopublish
meteor remove insecure
The Mongo-accessible frontent is genius. This makes your prototyping much faster, and you can totally skip the "model" layer of your frontend. It matches your backend automatically. No further configuration needed. No REST endpoints, no callbacks. And yes, it's secure.
Meteor's security model is very well-designed. The list of things left for the developer to do, security-wise, is very short.
It's still important to learn your tools and understand how security works.