I feel like that sb_publishable key should be called something like sb_publishable_but_only_if_you_set_up_rls_extremely_securely_and_double_checked_a_bunch. Seems a bit of a footgun that the default behaviour of sb_publishable is to act as an administrator.

I worked very briefly at the outset of my career as a sales engineer role selling a database made by my company. You inevitably learn that when trying to get sales/user growth, barrier to startup and seeing it "work" is one of the worst hurdles to leap over if you want to gain any traction at all and aren't a niche need already. This is my theory why so much of the "getting started" stuff out there, particularly with setting up databases, defaults to "you have access to everything."

Even if you put big bold warnings everywhere, people forget or don't really care. Because these tools are trained on a lot of these publicly available "getting started" guides, you're going to see them set things up this way by default because it'll "work."