World readable is not the default. You get scary warnings when you do it and you can set it up on the account and the organization level to block it. There is no “click a button to make it world readable”. You have to know the JSON policy.
However, you do not need to use custom policies - it's checkboxes on the S3 bucket creation page. And the wording on them is obtuse AF, and I know what I'm doing with AWS IAM.
Defaults matter, and AWS cares more about ease of use over security. Which helps explain their security position.