On a local network, you make the assumption that there are only authorized users.

Uh oh, that assumption is a big no no.

depends

Can you elaborate? Honestly asking.

I wouldn't recommend it with PCs, notebooks, phones, random crapware, but:

When you control¹ all the devices on the network, the network is small enough and the danger from the non-authenticated protocols isn't too high, then I would say it is reasonable to assume being present in the network is sufficient authentication. Not saying it could not be improved, but there are probably many more pressing concerns.

¹ you don't fully control anything anymore, but you're not going to fix that either.

The air gapped power plant networks I work on have unused Ethernet ports shut off and the ones in use only accept traffic from the MAC address of the device that is meant to be there. So you can’t just show up and plug in.

Thanks a lot. That gave some perspective. I'll keep that in mind.

> presuming there is no firewall or nat between the client and the server

That's one of the issues though. If you can't access a machine via its internal IP, many useful usage patterns break.

Someone complained that the issue is that services aren't secure, but there's more to it than that: good security depends on defense in depth, and firewalls are an important part of that.