>It is weird to see them go out of their way to disable conventional security features on their product
Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.
Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.