I am not confused at all. In fact, what you say fits the picture I have painted, namely, the following.
When you expose an interface as Public, then expect, well, public access. That is so by design. It is not a security risk! If you insist on calling it a risk then, according to your design, it is a risk you are willing to take.
As I said, "To solve this, the ColdFusion Team has to return to their original design of Websocket and redo it". They might choose to make access Remote. That is a possible solution. There are others.