Meteor apps, by default, have an insecure package. It's best to keep this in at the start to make development easier but ulltimately this will need to be removed and secure operation need to be added manually.
Same with a package called autopublish. This publishs all data up to the clients automatically. Ultimately this needs to be removed and publish/subscribe needs to be managed manually.
Meteor Methods can be used to make things more secure. Meteor methods use RPC calls to methods defined on the server. The nice thing is, you also define them on the client. So, when you call a meteor method it executes on the client and the server - the client returns instantly then, once the server returns, if there's a difference, it will patch up the client. (This is latency compensation).
As mentioned before, some things are defined on the client, some are defined on the server, and some are defined on the server and the client. It's a bit hard to get you're head around this at the st
Phil McClure overture8