Desabilitando o Autopublish | Meteor: Crie single page applications com JavaScript

O pacote insecure é o que permite a escrita pelos clientes no banco de dados. O objetivo é justo esse que vc comentou de facilitar o inicio, a prototipacao.

Allow almost all collection methods, such as insert, update, and remove, to be called from the client. This package is useful for prototyping an app without worrying about database permissions, but should be removed as soon as the app needs to restrict database access.

Já o autopublish auto publica os dados das colecoes pros clientes. Tbm pra facilitar prototipacao:

Publish all server collections to the client. This package is useful for prototyping an app without worrying about which clients have access to certain data, but should be removed as soon as the app needs to restrict which data is seen by the client.

Nao sei se antes eles eram separados (talvez). Mas ambos tem o mesmo objetivo de prototipacao e cada um faz uma parte do trabalho (escrita e dados)