I would say its probably not a good idea to make a bucket directly publicly accessible, but people do not do that.

A lot of the point of serverless is convenience and less admin and things like adding a layer in front of the bucket that could authenticate, rate limit etc. is not convenient and requires more admin.