keeping connect permission by default granted to PUBLIC in PostgreSQL is opening a wide security hole that shouldn't exist in the first.
This isn't a bug nor a security issue, but I do concur that we should remove these defaults. We've successfully (without being questioned why by users) done both public schema and createrole attribute changes in the past couple of years and this seems like a natural progression of secure defaults.