The current documentation still mentions that default for anyRequest() is VaadinSecurityConfigurer is authenticated(), but this has been changed to denyAll in Vaadin 25.
The information is correct in the upgrade guide, but not in the in https://vaadin.com/docs/latest/flow/security/vaadin-security-configurer page.