"A recent claim about security on Google Home Hub is inaccurate," the company wrote. "The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network."
Which still isn't acceptable. That means anyone using the default settings on the Router from their ISP is at risk from anyone who has been in the house before. Since all they have to do is get the code from the side of the router. This also means the home security can be disabled by anyone you've previously allowed to connect to your home network.
The device shouldn't allow any login not from a verified device or a proper passcode.
Frankly I don't have much faith in any of these wireless, cloud connected security solutions. I just can't see them being as reliable as a traditional hardwired system with door and window sensors.