“While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”
So it's up to the developer to enable the "security" that protects sensitive data -- which they might want, but otherwise could not access without permission?
No one could possibly have anticipated that anything could go wrong there.