I think the issues is because of the “developers” not platform. So, let me explain to the lazy developers how to fix this issues with just reading the platform documentation:
1 - Anonymous Users: on the Parse Server config just set “enableAnonymousUsers = false”;
PS: if you need anonymous users, so, read and understand more about the platform, but yes, you can have it safely.
2 - Class creation: on the Parse Server config set “allowClientClassCreation = false”.
PS: Why accept the client side apps to create Classes? Anyway with more knowledge can be safe too.
3 - Modify data of any instance: Just read documentation and set the basic ACL.
PS: Parse use the Class ACL before the object, so, even if the object has the “public access” but the Class ACL don’t, this object will not be public.
4 - File uploads: Parse Server have fixed this issue, “file triggers”, just read the DOCS.
About the video: “Almost of the ACL documentation are hidden on sub pages”, OMG man, are documented, the code are OPEN, just learn a tool before use is the basic of any development, the BASIC!!!
The documentation need explain to the developer that if he don’t set “private” on the content that he need to be private, and by default to help the developer to test and run quickly the platform, is an issue? Please!
And about the numbers of “exploited data” again is fault of the services maintainers, developers, not the Parse Platform that give you FREEDOM and POWER to allow or not this.
In the end my opinion about this video is that you don’t need be expert in “penetration” security, just use Parse Platform first time, you can test it on Docker quickly on your machine, hahaha, and done, you “hacked” the Parse Platform, hahaha.
As as front end developer perspective I think Parse was a great way to learn and have a good backend service… The rest is knowledge and experience, even if you can get some hosted alternatives, if you want to have sure about something go ahead and learn it, when is open source even better.