Completely agree on the encryption point. Apple controls the entire stack and could mandate FileVault encryption by default. The fact that it's opt-in is a weird decision that hasn't caught up with their security posture elsewhere.

On the Terminal point, its worth clarifying that Recovery Terminal does require mounting the data volume first, which typically prompts for an admin password. Safari bypassed that step entirely, which is what made it interesting.

Interesting point on the missing admin password, that does pose a slightly higher risk.

Though IIRC, at least the Intel Macbooks still support some kind of Target Disk Mode that should also bypass the admin password? I don't know if that requires an admin password but none of the guides I can find online state that it's required.