By default GeoServer will allow full WFS transactions, letting anyone who can access the server edit and delete data. This leads to many GeoServers running with that configuration without their administrators knowing. One can trivially find many such servers, ran by companies, universities, government agencies, free projects, etc.
Of course this could be considered oversight on the user's part but I would highly suggest safe, restrictive defaults. Users (including me) are "stupid" and will use whatever works, ignoring possible problems in features they do not use.
Please do not allow WFS transactions by default.
I assume that this will apply to other services as well, but only looked at WFS. Please spread it to other parts of GeoServer as needed.