Unless someone wants to access their HA instance from outside their network, which a lot of people do enjoy the ability to do. I, for one, need that ability, because Alexa/Home doesn’t support everything yet.
This is a double edged sword.
On the one hand, it is up to the user to understand the security of their network, which doesn’t necessarily mean it is Home Assistant’s responsibility to hold the user’s hand in this regard. It is up to the user to take on the responsibility to maintaining their network security. Sadly, people love to shout how they want their privacy and security, but don’t want to take the time to learn it.
I’m not sure what else Home Assistant as a project could do to warn people about the real dangers, as it should be expected and understood what the dangers of opening up ANY service to the outside world. How does this fall under HA’s responsibility?