Buckets are private by default and always have been. A bucket needs to be made public. Given that, I would hazard a guess that buckets are often made public (when they shouldn't be) for either testing purposes and never reverted or because creating proper access to the bucket took too much time/knowledge.
I sometimes have to support freelancers working in some of our Wordpress websites. Their first instinct when something is wrong on their end is asking me to run a chmod or chown command they found on Google on the whole directory. Not that it matters – we're using Docker.
Security seems to be secondary when the priority is to just deliver.
Security should be secondary. I know that sounds wrong. And that’s not an absolute, sometimes security comes first. But in general, everyone is trying to get stuff done and security gets in the way. My passwords get in the way of using my devices. My keys gets in the way of coming home.
That’s different from saying “security should be an afterthought”. Security is something you should consider consciously and prioritize against your other goals.
Putting security first is kind of weird if you think about it. Imagine building a house and prioritizing the locks.
Further, sometimes users aren't truly aware of the implications of what making a bucket "public" means. Heck, maybe the original use-case wasn't too concerning, but it changed over time. The folks writing/reading from the bucket are also likely distinct from those setting up the infrastructure - although that's (thankfully) not always the case these days, it certainly can still be.
This reminds me of how React has a dangerouslySetInnerHTML[1] API - sometimes it's the hammer you need, but the name should (hopefully?) cause pause.
