I wonder if anyone has done the full analysis of what is required to set up
   a "secure" "securelevel 1" site?  The designers of the securelevel feature,
   presumably, but did they publish? 

if anyone has information relevant to this, please send it to me.

   Until such a thing is done maybe the thing to do is just turn off the
   feature by default, lest it give someone a false fuzzy feeling.

i've been advocating this for a long time now ...