Meanwhile it seems everything in Microsoft 365 defaults to "anyone internal can access/use the resource." As a result, I've seen large organizations leaking some of their most sensitive information to regular users.