Opening your computer to network. Incorrectly configured folders for sharing could end up wiping out your data (no warning or chance for recovery, unless you configure file versioning- which is confusing AND off by default). WebUI not configured with a password by default, allowing multi-user systems to access your files.
All of your complaints are specific to Syncthing which, admittedly, doesn't have great defaults (but the fans will be quick to defend it).
A webui for a desktop app can be made perfectly securely, though.
For example it can bind to 127.0.0.1, not do external network requests, and require a token (generated by a systray menu utility or an app shortcut for example) that will prevent automated exploits from accessing it as well as other users on a multi-user system.
