Re: 'is it the default'...
No, it is not the default for S3 buckets. The default setting is that only the owner has read-write access; no one else has any access. You must intentionally change a setting for an S3 bucket to be world-readable.
In fact, if you have world-readable S3 buckets in your AWS account, AWS periodically sends you remind-o-grams, asking if that's what you really want.
So it's unclear why there's so much desire here to place blame on AWS. Misconfigured security settings is absolutely a customer problem.