That requires physical access, which is arguably more secure than internet access should your credentials be compromised. This is a major step in the right direction for Dropbox. I don't think it's Dropbox's job to encrypt and secure my local files. This would break many use cases, and there are other purpose-built solutions for this.

Dropbox made their business on an extreme convenience (your files everywhere through a dead-simple, familiar interface). Inconveniently, convenience is often the enemy of security. It's a "good thing" that Dropbox is now offering some granularity over the convenience/security spectrum.

That's hardly an unexpected security hole - most of my devices maintain local copies of everything in my Dropbox folder (phone/iPad excepted). Requiring password/two factor auth to get at the cloud hosted version of something in the local filesystem would achieve pretty much nothing.

Maybe there's people using Dropbox in some other fashion, but surely this is the intended/common use case?