By default the roles for anonymous are full privilege, but should really be just readonly. This can be alleviated by explicitly setting the "anonymous-roles" attribute to "readonly". The XSD and ModelAttribute should be updated.
In 3.x, we cannot change the default without risking problems when users upgrade, so we'll keep the default.
Both 3.x and master do not allow setting the "anonymous-roles" attribute to a blank string; the ModelAttribute validator needs to be correct in all versions.