See title. Funds on the node are quite vulnerable due to only a password protection funds on a node from remote attackers. And most apps even have standard passwords, so then only the onion-adress is needed.

Closing as this should have been resolved with recent release of 2fa.