Currently, the ActiveStorage controllers by default have very minimal security. Of particular note, ActiveStorage::DirectUploadsController has no authentication. I spent much of my day looking at this thinking I just didn’t understand how the code worked or was overlooking something until I started the linked discussion.
I don’t really know how to come up with a better situation that fits into Rails but it feels like the default is more dangerous than a default should be.