As noted by @fejesjoco, current Ruuvi FW 2.2.2 is connectable by default and can be updated by anyone remotely without physical interaction from anyone else. This has been a requested feature for some applications where access to RuuviTags is difficult, for example when tags are installed within walls or floors.
As Ruuvi packages are signed with public key with it’s private pair published, anyone can create packages on RuuvITags - as intended. However this creates a security issue, as it is possible to create intentionally bricking packets.
Ruuvi FW 2.3.0-beta is not connectable by default, and it becomes connectable for 30 seconds after NFC scan.
Please discuss: Which behavior suits your use better? Should the default be non-connectable and become connectable after some action, or connectable and become non-connectable after some action?