To be clear, I don't claim to know what the right answer to this is, but I feel as though oscillating between two mutually contradictory policies ("all Settings backends must be safe to run in all environments" vs. "we need to avoid running unintended Settings backends") can't be it....