Remove "Access all custom data" permission for Anonymous users.
As part of the default configuration set when installing Civi, the "Access all custom data" permission for "Anonymous" users is enabled within the CMS permissions list.
By default, users are able to craft URLs and see all custom data fields exposed via Profiles without authenticating. If individual field permissions are set correctly within the Profile, then no actual data is visible, however malicious actors may use this information to probe the system further or gain meta data which could be useful, e.g. for social engineering.
This permissions should not be enabled by default.