This exactly. It's hard to properly understand security, even for educated professionals. IMHO security features should be the default only if they are demonstrably correct or hard to misuse.
Otherwise, the often wiser thing to do is to make the danger of doing something as obvious and blatant as possible. It's like the debate around having a root account or not: IMHO it's better to have a superuser that everybody perceives as an obvious danger, that's easily recognizable and never really ok to use for mundane tasks. I've seen people misunderstanding Windows ACLs way too often because of this.
Otherwise, the often wiser thing to do is to make the danger of doing something as obvious and blatant as possible. It's like the debate around having a root account or not: IMHO it's better to have a superuser that everybody perceives as an obvious danger, that's easily recognizable and never really ok to use for mundane tasks. I've seen people misunderstanding Windows ACLs way too often because of this.