The problem arises when running Syncthing as something privileged and not enabling authentication. The difference between Syncthing and any other services you may have been running as LocalSystem / LocalService is that Syncthing can be instructed to read/write any file it has permission to access by anyone who can open a connection on localhost:8080.