@luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.
The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.
I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.