For the “non power user” that I am and who tends to break things out of ignorance – how do I check and make sure that I haven’t accidentally made the mistake to have given the whole world access to my files?
That thread is over 4 years old, stuff has changed since then. Nowadays, syncthing displays a big red warning banner if the GUI is not listening on localhost without any password set.
The address the GUI is listening on can be seen in the GUI under Actions -> Settings -> GUI -> GUI Listen Address. Something like 127.0.0.1 or ‘localhost’ means that the GUI is only accessible locally.
However, that setting may be overriden by startup options - in that case, a yellow warning is displayed above the Listen Address field. The actual address used is printed on startup in the log, something like this:
INFO: GUI and API listening on 127.0.0.1:8384
In any case, you may configure username and password to restrict access, even if the GUI is only accessible locally. In that case using HTTPS (TLS) is recommended too so that password-sniffing attacks are avoided.