Would be nice to have the current default permissions inverted for security considerations.
I understand the benefit of having new developers not to worry about how to configure master keys and use it directly, but systematically i find it very concerning that you ship a system that is unsafe and rely on the user to make it safe.
I created a few event synchs with the UI and they all are created automatically. Now the question arises for me, do I need to correct / secure things your automated services create?
From other frameworks I would be able to just rely and say, I did not create it โmanuallyโ so I donโt need to worry about it, but how is it now in your case? I noticed that this uncertainty stems from the inverted security policy.
If you alternatively have a production switch that automatically locks down everything into safe mode and then the user must explicitly find and set the permissions as required, the security should increase tremendeously and also trust into your automated UI services would be restored from my perspective.