There has been a fresh wave of folks exploiting it recently (I have had a few people complain in the past 12 hours about calendar spam). Google apparently stands by the fact that it is a "feature"
It is convenient if it's not getting spammed. I use it to passively keep track of things my SO or parents have planned like coming up to visit or other random events. With calendar injection they just show up and I don't have to constantly wade through my over cluttered gmail (side effect of having it for almost 15 years now).
Lots of things are convenient until they are abused. SMTP without SPF or DKIMS is convenient if its not being spammed. Http is fine for authentication until its being eavesdropped on.
There is a middle ground. Allowing random people to plop stuff on your calendar via an API call is not the best idea. I personally have had to tell five different people how to stop this sort of spam, I don't think they'd agree it's convenient.
