I’m not sure it’s wise to have the System User (non admin) account enabled by default.
We’ve been instructed that if we want remote access, we must enable it. We have been doing this, but just discovered the user login (user/user) gets enabled too.
I don’t recall anyone discussing disabling the user account while they were mentioning enabling remote access. If you decide to leave it active, you should at least change the password so that the outside world can’t get in and make changes the user account is allowed to change.