It is a major design flaw in IOTAs client as there are absolutely no measures for authorization. It is not the fault of the user, it is a disastrous design. There are 3 A's in information security:

Authentication (that's the seed)
Accounting (that's your balance and history)
Authorization => they did not implement this at all. It should at least be password protected at bare minimum.