The files in ~/.ssh are usually initialized with restrictive permissions, so how do they end up getting exposed? The only way I can think off-the-bat is that someone absent-mindedly commits them to their git dotfiles and ends up copying them over to another machine when they do a `git clone` command.
the author cites "allowing developers to connect to the host with the www-data user", and this is a very specific form of incompetence.
www-data is the name commonly used by debian and debian-based distros to run apache and other http servers. it's literally, just designed to run the executable, not to upload new version of webpages or anything.
there are countless ways to avoid this pitfall, the simplest that comes to my mind is creating another user for uploading stuff and adding such user to the www-data group.
at the end of the day... meh. people might start a campaign about how not to use the www-data or something else, but not-very-techy people will find another way to misuse a webserver.
