Discuss boilerplate API permissions defaulting to not permitted

Description

Currently API views default to AllowAll permissions. Positive action therefore needs to be taken to lock an API down. Is it better instead that endpoints be explicitly marked as anon accessible?