by default CouchDB gives everyone in the world admin access to your instance, it also doesnt listen on an external interface.
There isnt any confusion over 'sensible defaults' because sensible defaults dont really exist, the way people use CouchDB is very varied, if you are going to expose any data to the world you need to know what that entails, in this case I believe it was done to help people run their own npm instance and couch introduced new functionality in order to handle that case in a more secure way.
tl;dr I dont believe this is a couch issue in the slightest, purely an issue with how npm was built
I'm wondering what you mean here when you say "on the local device". Are you implying that it is guaranteed that the local device is not exposed? I don't see why you would have to explicitly expose something. The entire instance is exposed by default.
But that has nothing to do with the instance access control or the database access. Changing the listening interface isn't going to magically fix the default security setup.
There isnt any confusion over 'sensible defaults' because sensible defaults dont really exist, the way people use CouchDB is very varied, if you are going to expose any data to the world you need to know what that entails, in this case I believe it was done to help people run their own npm instance and couch introduced new functionality in order to handle that case in a more secure way.
tl;dr I dont believe this is a couch issue in the slightest, purely an issue with how npm was built