I've been discussing this with others and really thing public custom properties should be an opt in.
Honestly, view parameters seems like they would want to be private or at least protected.
I'm planning to write a script to set all of our custom props to private in the view JSON files on the gateway. Would doing this to view params also be safe as well? I basically only want view params and custom props to be set in our bindings and scripts, never from the browser.