If you enable public access, they can not only edit previous public posts, but also posts made by the admin!!
Public posts should not be editible at all, or at least give the option to be turned off. What can happen is a spammer can modify previous posts (which what happened to my calendar, I had to trash the entire site extras table)
They were able to get in and modify the site extras table for ALL previous events.
This is a huge hole.