Most likely this is a category of 401k (or IRA) called a SEP IRA. It works to the company's tax advantage and they have the ability to force it on all employees. All employees is a requirement of this. I don't have a ton of knowledge about this, but about a decade ago I dug in to it because my wife's company did this to us at a time we really needed more flexibility on what she was contributing. I don't remember the nuances, but sadly I found it out that (at least at the time) while it seems sketchy as hell, it was legal if the company met all the requirements/followed all the rules to do this.
I think it's less that "developers think this is okay", and more that this was an alpha stage project prior to the Reddit meltdown and influx a couple of months ago, and they've been working their asses off to keep the site up and stable, and are working to evolve the functionality to meet the need as soon as practical/possible.
I would like to be able to turn off Random Magazines, Random Posts, and "turn on" Magazines I'm subscribed to on the sidebar. All of these as user options would be great.
I know there's a lot of work going on and I know all of these items come up fairly regularly, I'm relatively sure they'll be addressed in due course.
On Mastodon at least, neither authorized fetch, nor "disallow unauthenticated API requests" really stops the outflow. it does in an ActivityPub sense, however, I have both flags activated on my instance, but Mastodon has an RSS feed for every account, by just adding .rss to the profile URL, and anyone can pull that without authentication.
The option to turn off .rss feeds for accounts doesn't exist in a standard mastodon install. the Hometown fork of Mastodon has the option to disable it.
So while the flags above will help prevent random discovery/propagation by others on the Fediverse, there are still open doors for accessing the data, at least on Mastodon. I can't really speak for the other projects.
He's got 99 problems and well...