Whilst I acknowledge that node_exporter provides a wealth of information which could potentially be useful to attackers, the main purpose of the daemon is to be queried via the network by a Prometheus instance.
Many other network-based services will bind to the wildcard address by default, since they are functionally pretty useless if they don't do that.
The upstream Prometheus developers have long maintained the position that security is out of scope for Prometheus and its related exporters, since there is no "one size fits all", and end users are encouraged to weigh up what security precautions make sense in their specific environment.
If you are concerned about drive-by probes of node_exporter or other services for that matter, I suggest that you look into running a firewall on your host.
OpenPGP_signature
Description: OpenPGP digital signature
