Well, if you (need to) care about protecting yourself against DOS attacks, you need to use tools and services that are specialized for that. And those are not application hosters.
Services like Cloudflare and a basic understanding of web technology (DNS, Routing, http, websocket, tcp etc) are your get to go here.
In fact, as an Application hoster, I would argue that: if you know that your app might be targeted by DOS attacks and you don’t do anything to prevent that, taking down my servers, I would - the least - kick you off my system.
Protecting against malious attacks means to lock down and limit your application to essential aspects in use. Something never anyone, without super high knowledge, could do for you. Which is probably the reason why it’s not forced into 1.2/1.3. It can break stuff (application level).
Saying that, I think it’s not Galaxys job to defend you against illegitimate traffic. They could provide easy integrations, like done with letsencrypt, but regarding DOS, they basically do that already by allowing you to set DNS entries freely.
But to make it clear: If you need to worry about DOS attacks, you either made someone (on purpose) pretty angry or you probably should have enough money to meet your SLAs. Don’t think about it on day 1-100.
However, (easyily) fixable application level vectors in meteor open source are a whole different story. Those should be taken seriously. But I would also expect that our community has some pen testers looking for loops, provide best practice feedback and pull requests. I have not seen much. So maybe there isn’t much? I don’t know.
But as we are talking about security in applications: Read the docs/guide and know what you are doing.
For me personally - “the ability to take down something” - is not an exploit. It’s the fundamental aspect of the Internet. But if data appears to be in danger, I am very sensitive and intolerant about potential security vectors.