I propose that initdb should do
REVOKE ALL on pg_largeobject FROM public
same as it does already for pg_shadow and pg_statistic. This would
prevent non-superusers from examining or modifying large objects
except through the LO operations.
This is only security through obscurity, of course, since any user can
still read or modify another user's LO if he can guess its OID. But
security through obscurity is better than no security at all. (Perhaps
someday the LO operations will be enhanced to perform access-rights
checks. I have no interest in doing that work right now, however.)
regards, tom lane