Some of it was the latter. Matrix servers could be used in the past to store and serve unauthenticated media to anyone[0], which was described by the team as "not great"[1] and "abuse of Matrix as a content distribution network" [2].
I believe the team was prudent in being reserved about describing the issue (and the abuse it could entail) until after these changes rolled out in 2024[1], especially due to the unique challenges they required (including putting a freeze on unauthenticated media as part of the upgrade process).
I believe the team was prudent in being reserved about describing the issue (and the abuse it could entail) until after these changes rolled out in 2024[1], especially due to the unique challenges they required (including putting a freeze on unauthenticated media as part of the upgrade process).
[0]: https://matrix.org/blog/2024/06/26/sunsetting-unauthenticate...
[1]: https://2024.matrix.org/documents/talk_slides/LAB4%202024-09...
[2]: https://matrix.org/blog/2025/02/building-a-safer-matrix/
[3]: https://matrix.org/blog/2024/06/20/matrix-v1.11-release/