You can put a reverse proxy in front of it to provide at least basic authentication measures and force HTTPS. Better than nothing at least.
But the main problem is that unsecured clusters by default have caused a lot of reputation loss to the brand. When every few months news hit about yet another unsecured Elasticsearch cluster that leaked huge amounts of data, it is getting harder and harder to explain to the less informed how that is the fault of those people who did not even bother running a reverse proxy, not the fault of Elasticsearch itself.
But the main problem is that unsecured clusters by default have caused a lot of reputation loss to the brand. When every few months news hit about yet another unsecured Elasticsearch cluster that leaked huge amounts of data, it is getting harder and harder to explain to the less informed how that is the fault of those people who did not even bother running a reverse proxy, not the fault of Elasticsearch itself.