If you're sitting at someone's computer you can do all sorts of stuff. Their calendar and email are probably already open. You can look at their photos. You can even listen to their music.
Update: I should add that this probably should be optional since it goes against a reasonable expectation. But considering it requires an "attacker" to have physical control of the computer, I don't find it super serious. Dropbox behaves the same way (though I guess you usually don't see anything else on the web that you can't on the desktop).
I completely agree with you, and in general hate when people whine about security where there wouldn't be an expectation of some.
That being said, I think it would be nice if Google made this particular functionality optional. For some shared user environments where you want to maintain the illusion of privacy (e.g. "family computer"), it might be nice to force password to view more sensitive information (e.g. e-mail).
I won't comment on DropBox because I don't expect any better from them with regards to security.
> That being said, I think it would be nice if Google made this particular functionality optional. For some shared user environments where you want to maintain the illusion of privacy (e.g. "family computer"), it might be nice to force password to view more sensitive information (e.g. e-mail).
Agreed. No difference for me since I have my Google powered mail all going into Mail.app which does not require a password, but in some shared environments I definitely see the point. Though in a shared environment you should be using different accounts otherwise stuff like Google Drive and Dropbox don't really make sense anyway.
A shared computer can still have different user accounts. There's really no reason to share an account anyways, and on Mac and Windows machines at least (can't speak to any particular Linux) this gains you access to parental controls and other useful widgets.
Basically if you leave your account logged in, it's expected behavior that anyone who rolls up to the console has access to everything that account does. This is not a security issue at all.
Of course it can. Google can obfuscate it if they like (presumably quite well, being Google), but ultimately it's just data on the machine. Malware has just as ready access to that as everything else.
If I log out of my Google account in the browser, I have a reasonable expectation that things on that computer can't log into my Google account in the browser without my credentials.
Update: I should add that this probably should be optional since it goes against a reasonable expectation. But considering it requires an "attacker" to have physical control of the computer, I don't find it super serious. Dropbox behaves the same way (though I guess you usually don't see anything else on the web that you can't on the desktop).