Even if SFDC is configured correctly, any sufficiently large or old instance of SFDC may have dozens of other systems plugged into it. Many of which get default access to everything because SFDC security and permission configuration is so byzantine.
Absolutely and when throw in the ridiculous way SF does permissions AND their lack of tools for access visibility it’s no wonder these old systems stick around.
I’ve got another reply here with details but suffice it to say misconfigured Salesforce tenants are all over the internet.