Q: “How worried should I be about my Salesforce Community’s security?”

A: Let’s say “more vigilant than you are right now”, ie, pretty worried.

• This article gets at the problem: Salesforce makes it easy to accidentaly set up a Community that overshares data.

Salesforce, in weaselly corporate fashion, doesn’t shout this problem from the rooftops, but instead quietly pushes out Release Updates.

• This article has some good commonsense fixes–let’s call it solution #1.

• This article lists some more–let’s call it solution #2.

• And this article delves into a specific problem, that you ought to switch off allowStandardPortalPages for all your Communities. Vote for the related Idea. Call it solution #3.

And OMG, I was astounded to learn that there’s a User Permission out there called “View All Custom Settings”–and, based on my quick experimenting, it overrides “API Enabled”. wtf!