My point is that these defaults that look secure to a non-expert, but do not hold up to scrutiny, are probably intentional.

I have found that even many tech people have incorrect beliefs about these things, like assuming that iCloud Backups are E2E encrypted by default or that disabling Allow Apps to Request to Track disables trackers inside apps.